11241100x80000000000000007542249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:01.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:01.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C0FC60BF41689EDDFD4294DDE9F7CF,SHA256=86B891C6B1FDBF1DB369DF1329FC4126E09E3FC7DBCC7E0485B2B10F9B355BD3falsetrue 23542300x80000000000000002130946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:01.060{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8496B8821E7BA72FC0BD05DA64F146B3,SHA256=5FE375EDAA754532C6E98B5CA33BBED52ED2F9B18E5F569ED671CF45BD77BFF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:02.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:02.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DB9EF65DB085619A412CFFEACF4D2E,SHA256=2E957BC8A99A59E00590F9096E8E37D402F1951A8382DFECD888C41825400CC3falsetrue 23542300x80000000000000002130947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:02.062{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26E52BFA65D747A5BF73EDE05762BBE,SHA256=E8EB8FF3559644D358884861308FBA0006CE3DC6D7B83F9C2CC7FF32F12D3ACD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98B382C37AEC220EF53A3064DE8BD46,SHA256=60F94ADE8D5ADCA7C849A3105B964643DE56DB4AF87E828B819D7594248C70BBfalsetrue 23542300x80000000000000002130948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:03.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26147D405398DC4FEBEFA02EE85D5353,SHA256=62D3A650969FEC68DA787B1D384CE1768E13DD779A23FC725D7C46688B5C10C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64BC7EA3B82907393C5E578ED8B3F925,SHA256=ECCC64955A2C60E070C8ED5638D3356111C84C816EFC2AB1270904E2C087A535falsetrue 11241100x80000000000000007542263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0BF29BBD8C2D1E4E433BC3A5FB289A,SHA256=11C9BF00B86F76AA4EEAEE10349D4AA73AEE24E014F69252AE128575BF489D10falsetrue 354300x80000000000000002130952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:05:55.971{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002130951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70BEEE01443CA146B93B9B90BAC48CE,SHA256=C781C675E8082C0EBF071DF8CA9A6A24C3283F7DB88AA12225140042EE59739B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5A5512B918DEE6EAFD39AAA15008D7,SHA256=AC6E73826EC93D51FAC1B99247DB96C68E85475FF419D8A514D1403C79583902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.065{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8732CA7C3C4F90843B4D43E6D89B67E8,SHA256=B6ECECEE1FE70ABF8217F5B5830E1ADAD2864A8FD0B1DE24CB3B08284E27AEE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22C36D140DF5976A9D3D005E11C7AE79,SHA256=458E38DEA368E9311F46BE87874E2E5D1426EB7EE3ECC154398AAC84E782C95Dfalsetrue 11241100x80000000000000007542259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2EB992E0427C8B7CE99A7D96DA59816,SHA256=D1930F469548B6D7DEC7FB813441C81BC14A3BC9773B0B787D9FD7A46089C302falsetrue 11241100x80000000000000007542257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32155D75D3E8C4A643B9C84C915A8D72,SHA256=AA3E417A7E314CB357A2A53FCDC2CBA3F13C3C9B5007892B6D8B8824BA918487falsetrue 354300x80000000000000007542268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:47.024{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56723-false10.0.1.12-8000- 11241100x80000000000000007542267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48DDB831B0E0C9667372D7C9B74A21C,SHA256=07492E5D6E4BEFEA155A58BE0661752A0F1E61B861763B1241E28FA8E38990DDfalsetrue 23542300x80000000000000002130953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:05.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CCCA8073B0ADCBBAADF2F94F36F9E4,SHA256=7B3C6E5F29D6F4C31169010E16DB87883FDC80B43197DB25291B75D7A857253E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1760B095C38307B228318F9E7CF255,SHA256=917ADCCAC2D86457CF6CAC971499F6341B877F5068A8D100EC12EA06EA08B874falsetrue 11241100x80000000000000007542270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:06.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:06.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEB1D07BEA17348D2B5E78596B10660,SHA256=76A3C7530CAD48BE09FBD16709AAA50AE035566D3E93B65DA342A22CB6926738falsetrue 23542300x80000000000000002130954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:06.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E86B6093D060965E5DCFB764138529,SHA256=585AFC054062D1535FE65E014D2371428BC47E68DA68F58827E9F46B7997978C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:07.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:07.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24CC69F7B352AD8425D02D5A80818FB,SHA256=CB87B7F44FBD94180F10C8803BFDB7EF8227475659DA5169A6D29FA9F2613B79falsetrue 10341000x80000000000000002130968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.902{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4AFE0B67BFAC33CBC2447658C23850,SHA256=CCABA82396F48F4A2BBAF6493A235568E2A5103825BD39C9FA4246BD160F21A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553027DD8A36E777A9F2E0048116CCAC,SHA256=B52D8880F6805D72A6ECA9E6DC0FD21BEFCDD4E782B1F5135FBD057C3B1B0845falsetrue 11241100x80000000000000007542276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09E00B0E4274A117946AE2969606F8,SHA256=3FECC8A837EB5D1F761C553FB234FF92038EB7B1B0790EB18AE69D8E57C85E3Ffalsetrue 10341000x80000000000000002130985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.733{AEE49BD1-9080-613B-881B-01000000F101}45561184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.587{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.172{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9914MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.101{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935426EB7B753725FBA8FB2E3A86DF95,SHA256=EF831B9FD2EFBC184E0E2F89BD7CA45CCA87094B8FE7FC9C9A0EEBAE7F684FD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2835B92CFADDB35EF46D2848F602A461,SHA256=3413050027086FB9A3B3D9097939D977418AF83FCCB782569443DCC830713439falsetrue 10341000x80000000000000002130969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.036{AEE49BD1-907F-613B-871B-01000000F101}27603080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007542284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D678F6055C9488C3D873FC4F4ACC8A,SHA256=B60DDA37C1AE5E232C3FE5DFA0C223BC1A8778658F8EE5A60083495606CA320Afalsetrue 10341000x80000000000000002131002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.354{AEE49BD1-9081-613B-891B-01000000F101}3464344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.221{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.171{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9915MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70BEEE01443CA146B93B9B90BAC48CE,SHA256=C781C675E8082C0EBF071DF8CA9A6A24C3283F7DB88AA12225140042EE59739B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BA4555A376971112799B054EAABEC7,SHA256=E135AC43467CA0B67D3D1E9EDE2194E2DE8499E9D69AD366AC07E52174C17639,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2CBF0E2F9C8EA605D02F5CB3A9883F5C,SHA256=953BEFC5AEB36539D362DF2FEA2F55BF75232A97EA18D0851D1B731C6716AE17falsetrue 11241100x80000000000000007542280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=841E3A6DDF3EE330083F44447AF8709C,SHA256=590AC35AA07E79749EF8A9D6025D74E2E1F667BEDDCC8E1253920A319575560Afalsetrue 11241100x80000000000000007542278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000007542286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:10.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:10.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C400519E56F3C6EA3D568ABDFB038C91,SHA256=AA526123449CB74454E15A69F143BC35D5F57EFE00C80D8FC26C9A74B6126769falsetrue 354300x80000000000000002131005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:01.980{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62329-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:10.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27FA57C3142E0C126D7BF7BA9CC7EA2E,SHA256=82469B0B4B6A62E86B4BDE983DE76F9624C1B3ED930A51851860FE95C6E6DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:10.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819630A199DBACCCB8F9D8BFC9658A90,SHA256=3337403EF812D89C93DBCE8FADCBB5801D5D0EF3C00F7917A2F9FA251048C0AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01CAFDAB13230D18141D0A1E2ECD8F6,SHA256=780126BDECE7E914F4DFCDA2B6C66231C56F0DFC4F16E19B6572D970CF73FBABfalsetrue 23542300x80000000000000002131007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:11.573{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:11.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC158940E34B514B65545F1C2D843AF5,SHA256=D9F9661551F9B66185280065776D31929C7F678784153CCC6CF79A4CA1C2F2DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65EDF4E332F6D81CA744D74F46541DF5,SHA256=AC04B62442D1A2EDA0DAA106C8CEF54FB6A20EA4829355B7A77FEC1761668A39falsetrue 354300x80000000000000007542293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:53.039{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56724-false10.0.1.12-8000- 11241100x80000000000000007542292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:12.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:12.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEBE03B3FFCAD22F0B85F36F9687B56,SHA256=4F94C7ED749C975BEE911F3EFA0E193B12FE0C6F18473FFFDB8805103FC45125falsetrue 23542300x80000000000000002131009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:12.554{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A3AAC177CD2B1022C9B1381B2ADA80,SHA256=86E2F3A65FD28252C063702A1C085AA4014AA74FACEE7E50BA73CF20510731B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:12.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CBDC5EDFFE6822C9CF81BB7CA8F45C,SHA256=9B7F158D0099104BB74336B78CB2CE21C58C37ED19E0D7BF186C484994BE0849,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.821{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.821{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346917E15F03338F8CD5FD54A805FDB4,SHA256=6C5ADAADE6DB00181E354F31BBF1928B62BA071898029E0AD3662D1689E109B5falsetrue 354300x80000000000000002131011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.342{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:13.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C85AB92C6C33C575DB5C07D1211B011,SHA256=B7763A8155629E69C19C8DB58A793CE9BE6E27AEDA2DA15A4E5A2BD3A4713196,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5885738D45C1561C65E9E5B670F44FB7,SHA256=CDCE531D1A30E3B56506BC0AAFE21BC2C3E9E1CC062E5EB7B08BDEEE9B1D0D73falsetrue 11241100x80000000000000007542303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB32F8B00FD3B734398A8EA4A5ED2354,SHA256=5A4264BB820FAA82FC3887E93E49377E0BCA58822FB805D9EE63D20AC5ED2251falsetrue 23542300x80000000000000002131012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:14.122{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1168A267C89EA441A1C08C68907BE64D,SHA256=1C5AACB323A1B5EDB213A17184CCDAB531260956A864537DE62DF5E7AB0FCF6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75C749447D4FB161ACA3C8FF7202829E,SHA256=5BC28462461F6B62118DBA84183A7A499F965646716AC07462201DD4064581B2falsetrue 11241100x80000000000000007542299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C291C548F78F6E2E373FCB1B05B62057,SHA256=F0715A0B9A6230C88A3258BEAB8AA7CD814F6E4CA388938B7DA0E49002CE2B0Cfalsetrue 11241100x80000000000000007542305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:15.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:15.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AE5F5DC5A4C5BD405210A7375A1560,SHA256=6EC1282B97EB605E4F3539DA5C31E9B568C642C1A66C62AB397BDD9FAE727B93falsetrue 23542300x80000000000000002131013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:15.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B745FFE4D8E7F90EF3344CE55E43ED5E,SHA256=38E1A24D5F295E9079B61EF707DF88B8B4D89CBF5798A2B1835093638941D877,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D53816DE420E277FF6914F83194DD,SHA256=DF3126F716B7455B46F277AC55D90007966FB9B4F3D70A4417F715922245EDF0falsetrue 354300x80000000000000002131016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.830{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62331-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:16.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C396BC22DFFEAD629B8F6EEC1338D2,SHA256=5B454E3CA0CA1D3C2F6669A51944579F7FD091680BF31C30B58F0C9782ABA115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:16.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FF120AEDD9B73CE2D4EA87DB9F4458,SHA256=ED5B9A03D4E574802E43F63741EE30946B60864CBA254265467D48676CC90B25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC743EC8C54BEA61328357CBCC188B3,SHA256=CEB040E0C01657E1F836A738C1726CC75C2D27FBEBD509DF4AF1E07053938450falsetrue 11241100x80000000000000007542311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7DF87DDB2834815B5866CF9FE10B02,SHA256=366395BC2D6FE911BAC507A7E100185538ECE08F414A9C1882E3D944E16C7E01falsetrue 11241100x80000000000000007542309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331B8912E9D2EEB9DF994173E499C8C0,SHA256=0272CED9B38649947DC845CFEA235FA3E979D604DF7764BBF600D45F4322D949falsetrue 23542300x80000000000000002131017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:17.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145C0065B8048D3ED3B0388419CD5139,SHA256=C07EDBCFAC77740A5317FFE8CDFF5F8FF11AD4C5836F22C032CBD70ABE90CE91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC176ADAD9DD163920226D803E31A673,SHA256=8EFAF5635B21F5BFA0D198A6A91217B8B52DA79E128BAB57789050B56569151Cfalsetrue 23542300x80000000000000002131018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3654FF32818D86673217F2C00053DF67,SHA256=64FE4B01EACAE353FC535741B326CFB143361C23F220935E9A4717E50FDE988B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=08D1E9E99A6925992F39FB3DA888B992,SHA256=DD08239AE755E9DD93E80E69D1DA8191ED33C16BE871F27352D28117C1E7FE55falsetrue 354300x80000000000000007542314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:58.960{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56725-false10.0.1.12-8000- 11241100x80000000000000007542324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76C4A3378FECBCAA0DB2A30F3B53C05,SHA256=8E92D8D746F994A4518811CCBD9270A69E9DB49980D1F99B8F13C7C3CE9C913Dfalsetrue 11241100x80000000000000007542322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE326112D4BA4109E0817D6B97E18E7A,SHA256=043B8BA03A2E6D15B0AD1B8AA6A1C9AACA645DEAC5E227988037078251C1288Bfalsetrue 11241100x80000000000000007542320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF96C2F3BDD4E57076DD9987B800B7F1,SHA256=EAE22189273CC9B897FDE481B7090A86C4490FF4BFDA3102CBE7BAF4357D91DDfalsetrue 10341000x80000000000000002131032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.265{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.262{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.262{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.246{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.130{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A3B987B0F62154F2381A7ECB2D16BE,SHA256=EB0BB804902DDAC979736591633693F54FE24929AFA21797CE91FD37E312CB54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:20.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:20.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8CD261A28BCC5108A8E296BAF4DA92,SHA256=57130A64A371CAAB1FE967D0809BAF89F5AD20E0E16A5C8FBAD22CDCFB03BF06falsetrue 23542300x80000000000000002131034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:20.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B073E21DDC7443F172770229F3EE2618,SHA256=2D333019C6A4B21F70E4AF2E44D0F39A816577C9F7356E55C7FF0FB4401B9537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:20.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9C1F5F8B32BCE7875022358A7AD4FF,SHA256=D9D40EF5EE896AFCB57F70607BB6DAFC729EEDB8103BF2E90DEC631B1FED56A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F080E288980B599BE6F011EC80D8CA0,SHA256=4E9B0A940B672B996729115C34193AB6C0122D4C2BAD205CAECF9EA50ECE490Dfalsetrue 354300x80000000000000002131037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:13.041{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62332-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:21.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A11711AB365D6A2CEEE38E31968BE03,SHA256=A5937CBB810511DF29BAF9B359F4BAC02CE032CFEA0DC43008A5B95862225A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:21.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9BEDB1CAD07E27842B7B12D0A8E56E,SHA256=FF036F7D67C7F602DE205A860518709A3726C0B00D880F1E932DA9FD81562E91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:22.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:22.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D298F78A96091DE91F2F9549819B0F,SHA256=DC94894A3B163BF9D28FC7121F602FE2DCEDACA8D9D7646E379C91BF5030D5ADfalsetrue 23542300x80000000000000002131038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:22.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E1EA68ED106B1B7E1F40165A7B6F24,SHA256=795C0495CAADC2CD77C6E499A59CC6F7C68F457F0D67700CB251B150150E6125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81439E3D967509F8392FF5C0229E4CC1,SHA256=09213FA41E1A666DE5BD4FAE928E9A49EB56138CA0DC80B7A3B8ADA8E94001E2falsetrue 354300x80000000000000007542335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.901{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56726-false10.0.1.12-8000- 11241100x80000000000000007542334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A12ECDF3B9A90E50368EEDA4B397810,SHA256=B4DF59098E058EFD3D6C79C38A4778C4A1178F70F2C10BB1965919D83BE6EF2Afalsetrue 11241100x80000000000000007542332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7DF87DDB2834815B5866CF9FE10B02,SHA256=366395BC2D6FE911BAC507A7E100185538ECE08F414A9C1882E3D944E16C7E01falsetrue 23542300x80000000000000002131039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:23.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEADE564B6B619912904780F7D6FBEF7,SHA256=8051C7DCFE5A4EDE26E5E0A0AD28087CDCB4646FF1E61AA618DD34A5EA9AE1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.476{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9923MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007542345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.475{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99232021-09-10 17:06:24.475 11241100x80000000000000007542344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.474{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99242021-09-10 17:06:24.474 11241100x80000000000000007542343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8CF1AFABB02C10273F8602EADC68E1F,SHA256=54F9734C4865EB199B7F6F298025C7D77B4E31BA06B4233B5B8C62B28731E57Dfalsetrue 11241100x80000000000000007542341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C79CD5FC68F7840814EAFDE416FA9FE6,SHA256=9C4B9E584844F4C6C9F1D890D3E9B4FD32069EE58B8C667E130F02D430A7D209falsetrue 11241100x80000000000000007542339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D62C61A868304057618BCB8830EBEBA,SHA256=FA0404E7B72A8A5E608A9B217E5E3F71008E66BE5303D8C3A56FA9E672778EAFfalsetrue 23542300x80000000000000002131040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:24.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1708738D32E814F9C6D623D7270624BB,SHA256=59FCBB3CDBC592CA7A899EC0C5B406BA8F0BE03EE8D75B8CC5755A78BF64D8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.489{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9924MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007542348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A704295B7237C0348B6199657A350A9B,SHA256=07B637A991CF9BEE20E1754DECC93AB0750FEF4BA07D87EE27DBA419A5AD585Cfalsetrue 23542300x80000000000000002131041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:25.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4D9E27A3483844106659E1AC519B2,SHA256=06B88A98E77E67D9220D1AA6D7D8E972852ABEC1CAE8C8F62C174F2DB84572AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.655{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B32631062929E921D6B489186FDEE2F,SHA256=90445622F287E770118093E6C71A5AF017077DF3A38288B37FF682B336EE8CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.655{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BABAE59EBF8C4320663CB41C06F4B5,SHA256=82A19257670757D8BE18E962362EA62F96EA3F2B2E0224BD60EB2EBECD585B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40767B56F9E79E36EF65864C1CC8366,SHA256=EA37081736432E5443FAB09BDDAF19FAA0EB76C4DF4AC3635A7720D6A08AAF34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A12ECDF3B9A90E50368EEDA4B397810,SHA256=B4DF59098E058EFD3D6C79C38A4778C4A1178F70F2C10BB1965919D83BE6EF2Afalsetrue 11241100x80000000000000007542351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7725E34EB04EA09D88C70F94875FA64,SHA256=47A85CF5689354E8BE72A4213389405DD7021C30440F5DC1CCE0B1E1E3245E41falsetrue 23542300x80000000000000002131046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:27.194{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8056F86386EA5B05C35C44F8D31A465,SHA256=CB7FD569A017C91665A1F56D1A6C979E4F320FC19334DC0FAF2DD30493B131CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.382{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal56513- 354300x80000000000000007542356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.381{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51735- 11241100x80000000000000007542355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:27.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:27.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21848D5C460220B87BAE042E15273D4,SHA256=88681DB9CE01C9670FA7749D32C1E60FAED1D3D331B9D720C776FFC6863D6BD1falsetrue 354300x80000000000000002131045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.298{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-51735-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x80000000000000002131059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:28.196{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC02B6844AE1A357EE7DB789C63809C0,SHA256=2F13C1516AF9E9834275BEBE6E13D27C827DFE4D47EC50AB5EDC776E90191380,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFEE2A3B94F271763E4B6E2118F95D28,SHA256=1E40954D92F18A66F3EE1B8875349BD9B3E9ECB25EDDD588F88C486CC7D4BB76falsetrue 354300x80000000000000007542362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.995{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56727-false10.0.1.12-8000- 11241100x80000000000000007542361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC02585D4DB4242C3FB61A999F9D110E,SHA256=8EF5AF4E7B17CBF002981F2E35AE507CA86888FAAB367D6D25F202A3D917C2EBfalsetrue 11241100x80000000000000007542359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF0769F662AF32F6CC1689B985AC0D7,SHA256=6C42AC7399AED64957CAAB6117A869043353268EE299097DD02C6C91B9279C4Dfalsetrue 354300x80000000000000002131058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.999{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62334-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002131057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.307{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-296\Administratortcptruefalse10.0.1.15win-host-296.attackrange.local62333-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 13241300x80000000000000002131056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002131055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x245d8463) 13241300x80000000000000002131054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xcf18edd4) 13241300x80000000000000002131053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x30dd55d4) 13241300x80000000000000002131052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0x92a1bdd4) 13241300x80000000000000002131051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002131050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x245d8463) 13241300x80000000000000002131049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xcf18edd4) 13241300x80000000000000002131048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x30dd55d4) 13241300x80000000000000002131047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0x92a1bdd4) 23542300x80000000000000002131060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:29.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AC5BB68E74AF0F9B29BE2576BE4052,SHA256=EF743DBBE12F945CA566C97CCF0164C1A81EF338F8A343B9FE3877E11E47C428,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F207590C02FE1A625B88F15D8C700879,SHA256=B8F62999E425BA4C214A48E39DDE4FD034D49551EE1B37184D29228D6D65C475falsetrue 11241100x80000000000000007542368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B9E88F8DF0F31B96DC53BE2679EFF0A,SHA256=5C5397402A3FCD70F26C617EA4B2E7E9BAF7655FF0BC89F70AF060A15F37F5D0falsetrue 11241100x80000000000000007542366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE41394EED63F128A49EB5B1501B2A6,SHA256=2C7364ED5A6C66086A3865B4C3E7A399E7B674760CEA03C43CD93B5435192A07falsetrue 23542300x80000000000000002131061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:30.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0085D5852712E875E5149069F1AE252C,SHA256=0D159B755A76080A4090E8B598D253A1180CE309279FD378D180773E8CC4A334,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:30.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:30.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D218E1D16870642207AD0B42BAD7FA92,SHA256=3E131B9F653720156EC7504F1561E3F918667B521F88B15574A74BE03252F352falsetrue 23542300x80000000000000002131063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:31.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEA582D1AFB263E5A5479F571D43050,SHA256=838E462C7BE8BB62AF28148AA2396D125A5E8BE3E85AFEBFD2BB406767787FCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AAB056BA07DE9DE2D27687F8B6449A,SHA256=25056D64FF7F3DA18AEF473AEA72FB69E48BD1B549E51AEAFBCB39E5B2326C54falsetrue 23542300x80000000000000002131062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:31.119{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F36F20B8D126DACB64CBE57C599C4121,SHA256=81CB0142CD26A8E62C63E9D44EA85DAA5DD1741F821323265FD7820D5C74D06E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C472566BA23C1E50E1ADE921EAB797C0,SHA256=CFB1086A21CF0F6E15CEFDA1B084494306F932EDFB6818EE134F67F7E4FC6CE5falsetrue 23542300x80000000000000002131064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:32.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83F5FB73DD6CFB576A9AF46908CD7CF,SHA256=BC355A6F058295643144A4E48A6EFB11BFA44BE37D694AA35B0253E8E97C86E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:24.858{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62335-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CA5F8E840C86D630DBD4A6AFECC92B,SHA256=CA2DC9AA302FE78103F8A1DD4447A68AA70129274432EFCEF7D091E279E69A3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6660206E7CA5DFDBA02B78E0917592EB,SHA256=2B99AB855DCF4DE4711292AA28FE3B570E26AB9E3563A7C51F384EC75A54CEFFfalsetrue 11241100x80000000000000007542378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A85ACB1DBEC2B367A2D97B170A28CE,SHA256=18F150F4298144AD73DAF334DC70C0A8E60F24BC0873B27E64EDAFA410C6F21Afalsetrue 23542300x80000000000000002131066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF164D5E2EB185C5E3D8D567250EA46,SHA256=BF66B03BF33D7E5EB4700EA6919D017ADF3C5B5FCCE8AF753EC1318C387B5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B32631062929E921D6B489186FDEE2F,SHA256=90445622F287E770118093E6C71A5AF017077DF3A38288B37FF682B336EE8CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:34.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A50AD661BEDC4B01C7AB1FE6CCC224,SHA256=CEAFF24856F686106394205FE78BDB7CCA40E9C558892289BDC44EB7BFFA4AA6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D210A5CD579F03521BD73A90442672B3,SHA256=76E5AEF83F5217B8BAD8A60A1A5D992BBBC5EA6DD3E5EC701F2118039F47BB6Ffalsetrue 11241100x80000000000000007542388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAE7F803CFA52B335A01AE0174E2CE32,SHA256=47E3B8F9BA87D0CBF37EFA5EA4085B31EE1177FFC66286477713F50029669109falsetrue 11241100x80000000000000007542386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6995DF67654695D16A04FC89CED222DE,SHA256=933752985010CC5AADD20E549192E8DADE9DF81A2EFBCB5BCAE1D8312FE07C2Afalsetrue 11241100x80000000000000007542384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3D09AAF988A2CE60A0A35AAAD5A9EE4,SHA256=62DE5B84A77614894A59D1FEE141D1B0E501F67BEA3700AC35D4D2B93A0CF7F4falsetrue 11241100x80000000000000007542382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DBF489D31D2896905A6C70080F5334B,SHA256=411CA627DE32B9ACF233CCA8F59C707538270A3949A9CD5C19536E9A6B010440falsetrue 354300x80000000000000007542393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.006{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56728-false10.0.1.12-8000- 11241100x80000000000000007542392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:35.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:35.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8CB48375031A58B390E9E1575E1FA2,SHA256=0DED8A311A87C51EB5959578EA31BB89C9048BBA2B7858D764EAB306D4F1375Afalsetrue 23542300x80000000000000002131070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:35.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B560215EE0D20D1A65BEFC492EFB79C,SHA256=1F17F2E9D93B3B78A1A6E3425BD4F50B6B8936A7DF672B1A8B9FAE06F9901FBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85E1A532ABAA70CF3283E79BFD3F594,SHA256=F785A8162CCB3F0C2572ECF3D95FECE427EA38F68593444D1ECA7184C433B49Bfalsetrue 23542300x80000000000000002131071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:36.211{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E39539566305EA3B8911ED20480E38,SHA256=4B57AF7E7B05761A851ECB39178CBB2501C030CD7905B7CA27442DFD5904A3CA,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000007542398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:37.645{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000007542397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5B5E158F109258482B6C4459F959C,SHA256=B21ED4B9A35AAB55D38852F510C1D5A7132CF9BEBD00A536253FD1740B168A3Afalsetrue 23542300x80000000000000002131074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.577{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.577{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A7D4C961EB6C737955AE09F6903A14A8,SHA256=A94C0B1FF1A846621BA5148D658FC9570FA2784AC7B912C55CE1A3075DD1DE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701781D9D85DB21B93B895D6FFE1C86,SHA256=D4C0B13D11648CD650DB69DB36E7E4D9AFDBF6ECA890BABB929E1F7730EB68B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A5B0DB9497F64B5910958D5F9914BF,SHA256=2BEBB764BBDD6E27E556BE26BE03BB0BEDAA572E196D55B4FB0648F153852BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF164D5E2EB185C5E3D8D567250EA46,SHA256=BF66B03BF33D7E5EB4700EA6919D017ADF3C5B5FCCE8AF753EC1318C387B5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978973D025727211E9A69AB80FA2F3F4,SHA256=BE244C0559BA9B01072D1792E3C772CC6C5F27899F887702E33D4EFE94306BE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C30005274935CB9AC02CD7DBEE27C6B,SHA256=DD03876E8B02A3D42EB1CD9C27829B06686B426272063199A1416AA6ABB9FE5Efalsetrue 11241100x80000000000000007542400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299E91BB186C54DFFB57A35E6AEB5B0F,SHA256=1E811FDD3BCDDDC8B2A388B81E61A92995FB7EAF79F943817D01FA43C25DE81Cfalsetrue 11241100x80000000000000007542412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D364A55D3164035D8885DCD660EB18F1,SHA256=00C01998583D3FF4F2A17434CC4E9A48701B2AEA26233937C6166E5E158F8D38falsetrue 11241100x80000000000000007542410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F1BBEC32A07F1046875DD819718169,SHA256=990077572EE97FB9DB63D8C51820AC80CA88B75CB055CBD8E8073A7B648EDEF6falsetrue 23542300x80000000000000002131079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:39.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B0AFD03B96A6AFD3E7523294A6ADD6,SHA256=BF53ECB0CF4A4BDA4157B71A1E2A525ED2959F4C8E91BB2422ECB8C471547745,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:29.986{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62336-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09E1BB011DC325964BAF6CCD4E6D6E93,SHA256=1F5D8F50DEC441146106A8FC4F0D01F1BAA55620C68C630D7CC8694A76CD672Ffalsetrue 11241100x80000000000000007542406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E523BB262911038B2CC42C12B889E84,SHA256=2B1C16D307E2CD1CFB698B9DDECA0418143499F6A29819E398B1E1F46CC41874falsetrue 11241100x80000000000000007542404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3D09AAF988A2CE60A0A35AAAD5A9EE4,SHA256=62DE5B84A77614894A59D1FEE141D1B0E501F67BEA3700AC35D4D2B93A0CF7F4falsetrue 354300x80000000000000007542415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.018{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56729-false10.0.1.12-8000- 11241100x80000000000000007542414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:40.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:40.508{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A248CAEF25CFF72E1F8D9F9D163857,SHA256=8CFF246FD6DDC25528E43DA777BF096B867929A6C6495A542F46F6695D2EADE8falsetrue 23542300x80000000000000002131080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:40.219{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0A3E701027BE3AE6DD99B5E2651DC3,SHA256=CE1B84B0B1A0AF5EF586B5DF36160B0E3A1C12022B71479F23D824BCFA92EDD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AE3D91D4D5FBDA1FEAD60ECB0FDF24,SHA256=255AB1129DFA8D48530AAE4ADD9383B9572D8B066F04DFC779F0AB42DF582FB5falsetrue 23542300x80000000000000002131081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:41.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01F98958F8EA1ECC0648AAC0265E66A,SHA256=F3F9002FCB3403C7741B04C31E378E144C00675E88BF640E4018837D31D5AB6F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007542421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:42.824{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007542420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:42.824{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007542419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:42.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:42.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2B0A7FEFB4349CE5A288CE0B8CB0B0,SHA256=2975526C7C1BEAC75D4609FEF995825F9DA9BB90059FD2EEDFA2258EB3209183falsetrue 23542300x80000000000000002131082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:42.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F71072841B241981AF41D013A018F1,SHA256=20EF4C7D6B4DB62BEE717F4E31F03A38771099353DB873B8F78B3DFCAD23F79D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757C6AB53B8AB041EEA6C43D78E14C0E,SHA256=F3CBF3EDBA7CC6B447E4B3C31F5E69E01C9F7321797140C70E7F6855A49C17ACfalsetrue 23542300x80000000000000002131083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:43.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B445920E11363AD3224BB5E9E6EACE3,SHA256=F85FBF759C58006BF4A9912C08F43CF1A9CEE98783748BFCCD06D0E619647B6D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007542548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007542537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 354300x80000000000000007542515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.045{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56731-false10.0.1.12-8000- 354300x80000000000000007542514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.699{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56730-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007542513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.699{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56730-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 734700x80000000000000007542512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007542509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007542508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007542507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007542503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007542498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.900{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84890A5874CDBA0D9BF29C002DC0362,SHA256=1935107E8D9C9C48AD5F7119DBDEDAFE452B9DF23F94FC9745EC03C00980C62Dfalsetrue 11241100x80000000000000007542487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E5D029FD1D448FF15E0241A9C3C5A6A,SHA256=00479C892D273E23163C5363AE5F8FCC272FC1F0CF92A5D2EA5765D0220EF4BEfalsetrue 23542300x80000000000000002131086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.391{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106C6CE31B6BFF803AB2D452AF6D136D,SHA256=A4AF25B21D1EC8CD4BF272D02021E4FAD723F769DAAD762A541B6CCE3825C91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.391{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A5B0DB9497F64B5910958D5F9914BF,SHA256=2BEBB764BBDD6E27E556BE26BE03BB0BEDAA572E196D55B4FB0648F153852BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE783EA5229C0487299900340EFDAB83,SHA256=4295252B10FB921E6B65028AD90A0E90D58EAC16CD26AA2F88DE1F67AC468FDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5868FF58F263541740E122DB12D952C8,SHA256=49DC65DD08DE271C369CA8BDC1CA27AE7529E8DC406CD239226C5FCDB3BF45C8falsetrue 534500x80000000000000007542483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}81805136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007542436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.206{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.206{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.201{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A854A65C714452A1EA9C33C7FDCB2AD1,SHA256=5BBA1E99EA50DD724DED2E11A616FCDF48930EFA53DB907680E13FFDAE96E159falsetrue 11241100x80000000000000007542425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E523BB262911038B2CC42C12B889E84,SHA256=2B1C16D307E2CD1CFB698B9DDECA0418143499F6A29819E398B1E1F46CC41874falsetrue 534500x80000000000000007542614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}54847596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007542609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B16D3C15C0A560518BECD28E4C5202D,SHA256=35391B46FB2106AA86E4E49F4D2F673461352FCE9282CBCADE5510B973C263EBfalsetrue 23542300x80000000000000002131088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:45.230{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E203BD2F6D00E379FE1C12E2C7DEC0D1,SHA256=F30637F8AC5F5611DAEADD2732EE01990727CBAFF3F54E6004BAAA44DF962AC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF41FFBA4675C6057D84926A353EB72,SHA256=E1942D1B97E5D4CD5A678C95AE59634D8B86BCA96A936132C63655035CA20622falsetrue 734700x80000000000000007542605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.601{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.601{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.600{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.600{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.599{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.599{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007542563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.598{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.598{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.583{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032AB6BAC3AA38BCDD561CDE9EFB5D4F,SHA256=4F89F1A43AD1A5A8946C7D9BE183E76D4A8FDC91D259306C426E1E92055F1A8Bfalsetrue 534500x80000000000000007542552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000002131087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:35.933{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62337-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007542732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007542691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007542685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.836{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 17141700x80000000000000007542676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007542675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26827CA9063DB8057A972C633E2EFA9A,SHA256=598B3A60623BCC524AAB5AB91D1B82A4BDCF4E36819D87C774F2E9E4EB45A9C4falsetrue 23542300x80000000000000002131089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:46.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8D3BE8DF6D3C6D2EEBDE4AC4B95F7B,SHA256=2F4E5646B2A28F9F9BF98061CCA25D9511A66E9172FA3727EF2116F68FBAD382,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.702{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007542673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.702{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000007542672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9423811990800D8516A9B81C84CCEFF4,SHA256=FF580B044214FE69435E32BF83DDBA672C35E00FA8103FEE6782D7CFB4021695falsetrue 534500x80000000000000007542670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.434{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007542669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}68325476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007542662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007542660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007542628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.300{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.298{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007542623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.297{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.297{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.282{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E128F1862B3B7CF424FBF27F08D5E,SHA256=3F4F037F776BF9C03DCDDD0929F960EEA8A1266290127DA2A299858507C6D7BCfalsetrue 11241100x80000000000000007542793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A96182843927762BFC4F1033D037440,SHA256=AA0B022A7BA9357EFF15A234BF73AB51246FC5145E9F1F86AD79EB3E7CA2E974falsetrue 11241100x80000000000000007542791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61DD0F4F5BF04A7A23B215CEC4E82B38,SHA256=7C157564C140E21637221FE7177625040AA0DA976D836870C0555FA69F8ABB6Afalsetrue 23542300x80000000000000002131090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:47.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8456EC125637E067C41D34025661B7,SHA256=25A76FEF5608C68F6B23D26C17851B56110F0449F49158FA2D138A7F5B0DFD58,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007542789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}6562932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007542747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007542741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.533{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:48.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF928016382F3E5AE0B79489D161AB64,SHA256=F975495EB66E33912A6E1CD38A635BD1AD7F4196CA58790B0A26E23D74DC3E3F,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007542852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007542831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007542810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007542805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.232{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007542796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.573{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56732-false10.0.1.12-8089- 23542300x80000000000000002131092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:49.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FD99C408632B85A05148B493C56E9C,SHA256=6739208D0F491DCF030A59886C1FE47B101FD04DB1A7D8A9B8E1B026097FA7BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C3F1B103DF33D824EB156A8D5F0CD94,SHA256=FE668A8643F1CF393A1C0631EAA5085F2CED8C3A30478FE879B209AB87FEE9BCfalsetrue 11241100x80000000000000007542860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4874EA0B958E3682367FFFC1D2B097A,SHA256=DD8EA40088F17C18E7C7EC6D298ABC596D5B0B15668CCA8CF3EB6821B34067D3falsetrue 11241100x80000000000000007542858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A704A1026A56BD4363CE793B94498F3,SHA256=7FE825877486397158C9576FF863974F5A98FB422858B5307BCE347347148200falsetrue 11241100x80000000000000007542856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60478AA25B79AE92C560A93C397151A0,SHA256=F14D817E2A4A00A4A19AC0881031EF71B1063741017FBEC532ECF97F6B2A931Cfalsetrue 11241100x80000000000000007542854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C92CF802F5FF8A85B14E0D2926CC8DD9,SHA256=951FC57673B5D4EC20A0EA45F3CF9D867E5255CD1B2EC5529C23C077AED7AFFDfalsetrue 11241100x80000000000000007542866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF11E821BA55793CBA9E5F8AE57EAFCF,SHA256=ED51D664DB4D1228781A2FF44AF23D8633C44A1500CAF711C216CEB293B72DB0falsetrue 11241100x80000000000000007542864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49367792F94646C1EB1370B071A28097,SHA256=DFC76090CA5523FBB491D5A43D948A7FCB0DE3935743303663C613238ADD1AE0falsetrue 23542300x80000000000000002131095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E6266CEDD614453E6CB24F662999E,SHA256=B41A19C2DAA7B77CB0B89357F541CC93E8E53436C58CE1BC6DF442CC1C36FCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B387DD70674BDEF02A2BD0C7F08C5A9,SHA256=8458533B6E1BA7C465D4C7BC6287B514314EC0335131A56E313E4EDEE301515D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106C6CE31B6BFF803AB2D452AF6D136D,SHA256=A4AF25B21D1EC8CD4BF272D02021E4FAD723F769DAAD762A541B6CCE3825C91E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:51.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:51.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE13ED28C8DCA23D112E3C87503B93,SHA256=1D0ABED4257C7DCF4C112577F2DF3BBCBA7A796DD1CE8355D8A9CA8ED4388D36falsetrue 23542300x80000000000000002131097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:51.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D9D921728822C05400C7357B105C93,SHA256=8DA10A5CD9C520E4DF29B5C3E66624541FB2BBA0FB82FF5F75EA1B8704D9C0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.050{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56733-false10.0.1.12-8000- 354300x80000000000000002131096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:41.891{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62338-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:52.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:52.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D873F5B55CEB14E6E95CA584907F95,SHA256=CE1675060F894EC7EA51965D3EEAAD896E2BD7F2CBDDCC804535C32CD9910327falsetrue 23542300x80000000000000002131098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:52.243{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A26266CCD19C9243655AAB73BBBB7A1,SHA256=83153F766F9A9A9108AADB97C920FEBEAD22EA8F6F7F4F3EEEF53E39E04ED550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:53.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E103F5C26E5D7A6B3CF358DD1CB8D312,SHA256=ACA36AF2F2D8E9B8579D2402C76A6B1A1D620598040EB097DF4274CC47076EC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB5C90FD7863380F4C64169F3CB0E98C,SHA256=DC7B518210FF1D582829F2344442331AA5463B2F58C2207FDB6CB20FF52BA465falsetrue 11241100x80000000000000007542873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F2702EB785CAD08A76A27310C9B1C,SHA256=D77393017BB770148663CB8A320F49ADF3C5F6687437D4C74C1A1136D4B8B183falsetrue 11241100x80000000000000007542881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1B08E320E7EC5B1253556BA45B9D5F7C,SHA256=1786F07C7D725D4E1B5ABC63B52EEF5E951114EFA5C0B866DFD55B2D018E255Ffalsetrue 11241100x80000000000000007542879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E6EDB12161059A3B58F80FF1BE70D50,SHA256=09F32DB3F457862C9085BDB72DBD7BA3F93A4F6F15F47D3BFB2CBA0941BABCF9falsetrue 11241100x80000000000000007542877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516B4CA67EFEA5B1B9982DCF43D119F,SHA256=764871933CEC6F55B1DCAE690085A93ED246E04AC3DFC6663A9D5E68D01AD358falsetrue 10341000x80000000000000002131113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.648{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6654C4417B9B093B944DE413B3C4FE33,SHA256=896F4CA019FE697057BDF2E438DFF173FEBEDF38DA8A59F08D204B9560559454,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930F591F3C8D37F5314996F8D2C0CBA9,SHA256=A2671593DEFB1BDC70AE84605E0845BB545F24F0C3A9F48AC6FF7EEBEE39DD19falsetrue 10341000x80000000000000002131143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.933{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002131130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.409{AEE49BD1-90AF-613B-8C1B-01000000F101}24842956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.263{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.263{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ADD43D991B36804735F1CBCAAF783D,SHA256=3A537D1A67E331E6B0EC9E023057515566AAE7DF68C8B4C01210F40F1BDDF617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7432701AC08E1409D783CD5810999E,SHA256=7B2E096CD557FB434E24E590109B0D33E648178C28DB2405F8C886DF9FB29788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B387DD70674BDEF02A2BD0C7F08C5A9,SHA256=8458533B6E1BA7C465D4C7BC6287B514314EC0335131A56E313E4EDEE301515D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A969DD74EEE7E71444ECA476828D39B4,SHA256=69DC190FDBB3DC1A7B79FA3CE6DDEB2D362ADB0663C8CF4414DCE138BFFDCFE0falsetrue 11241100x80000000000000007542887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8803C4789804943486107CCE99F655B,SHA256=9DB9F00BF564A7595CBD9216F9330CA5577428ED70CDED0992E47D127CA07A18falsetrue 11241100x80000000000000007542885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30B215AFB3B10E8E123EABC12E045FBD,SHA256=02D489A26E83F5FB2B2EC31D636953753B7CDB0E3012CE113875312A23148EFCfalsetrue 23542300x80000000000000002131146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:56.395{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1558C41002238A86FCE98D9F017A7B8D,SHA256=13BEC29B22C62A9BE10A428056676F0DF35955C059502D1330189D3C9F2D44E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:56.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7432701AC08E1409D783CD5810999E,SHA256=7B2E096CD557FB434E24E590109B0D33E648178C28DB2405F8C886DF9FB29788,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:46.954{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62339-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:57.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:57.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1654E3CDC0BFF3B7FBB054162569C5,SHA256=EBC39E9792D5875E3B77A6A0FA28D1B507BFDF4C8FBF595D5D9AFF0AE4AECCA0falsetrue 354300x80000000000000007542890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.996{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56734-false10.0.1.12-8000- 23542300x80000000000000002131147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:57.266{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A061794B56CD5EA76911672A493A05B,SHA256=2E1DEFF75AD430930310F24411DB8E02003B5D3BB3679BCADFA25DB0E928F748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:58.268{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D565AC1D391069963D554985B74781,SHA256=C74DE80FB0CB8A6FA1FB5373AF5F19E28E13779312F177B29C4200C66A5A957C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8426EA46D7B8CF2849A3F869AF7F6B41,SHA256=E6135969BFC3EC8785C39BD113983322896C4EACC2291AB4D665D366C41C16EAfalsetrue 13241300x80000000000000007542908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007542907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2465ef8a) 12241200x80000000000000007542906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007542905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xe1d77402) 13241300x80000000000000007542904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x439bdc02) 13241300x80000000000000007542903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0xa5604402) 13241300x80000000000000007542902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007542901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2465ef8a) 12241200x80000000000000007542900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007542899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xe1d77402) 13241300x80000000000000007542898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x439bdc02) 13241300x80000000000000007542897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0xa5604402) 11241100x80000000000000007542896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.482{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007542895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.481{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09F6EDD1EFE650B0D9BEF1BDE92F3446,SHA256=527C9F14D1F799AA4D5C9C36C77BFE8E18D26E62C47E0B0C84917CE1F1E8954Ffalsetrue 11241100x80000000000000007542894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FFB757597CB9823A76DDFFBE63AFDD,SHA256=3BF52993EEB564664E4DA88CDBC3AF44C57ECA10B663704176DD859493AF6262falsetrue 11241100x80000000000000007542916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A844B0E89F6E299C0B5D747719115E2A,SHA256=53C6B25E095CF44BFD5E70C41D40E9ACFD7479A3F8A7EA854C1603AE84034788falsetrue 11241100x80000000000000007542914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E0568AF324A1A14A9BF9117D4B2189F,SHA256=A33C82BF46830CE375DB7C58F341CE3D938D137352A211D43427D6EDDFB63B35falsetrue 11241100x80000000000000007542912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3498C23A97BA8B09BF1AF919EDABB935,SHA256=02A65CFF851BAC53C495E1355E6DDE267506941B1F33728723314AD4F3A59831falsetrue 23542300x80000000000000002131149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:59.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB79C941AD5E606481FAEF1DBE1A79F,SHA256=7BB49AACD905F1F5F39592927F38172E6C0C0D01A31BAE3F14B5077511096E46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:00.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:00.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC9CF3753FAC6DB297A19D4F5F093A,SHA256=72F9E7CD326C8C4E144B94C624F9AA021DD05DB897C40F7C9CCE999B318666FAfalsetrue 23542300x80000000000000002131150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:00.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC250DBAE738CB8EC592564577676B22,SHA256=CF8E1B3F1FC672944DDF5676299A8FDC278A38D8073543833ACDAC07F6B34051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED4B97FC11B5E43AF7578B7071605C9,SHA256=73E884F33DEC8F667806D9AF9D84202DF69CAFC54CF72962EF178B901F6BE110falsetrue 23542300x80000000000000002131152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:01.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189253DD8D16A19D4CE78F1BE660345C,SHA256=5AE3FED5DB89ED402242DBA228C16E09EDBCEC3B01BD2209B4319BB80D902020,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E31B554C07BB0EF13A39CBE3B042E8,SHA256=FA414FF60CFE14C06D0BB864944CDC466B69CE30BD42C80A43D8651B755ABC42falsetrue 11241100x80000000000000007542920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8803C4789804943486107CCE99F655B,SHA256=9DB9F00BF564A7595CBD9216F9330CA5577428ED70CDED0992E47D127CA07A18falsetrue 23542300x80000000000000002131151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:01.140{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38ED4E4D688F3AF963DC1E1A85D6E686,SHA256=5A6B6B09E705AE30DCFCD072404466D9DC36CC18600B39CD91D19BA996E9741C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.105{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56735-false10.0.1.12-8000- 11241100x80000000000000007542926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:02.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:02.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EE7BDB8BCC4E33A04367E689C090C7,SHA256=9467B148D0347FF5B084AA0D90E4C0E4E56128A030267B3EDE8DA78FD3164704falsetrue 23542300x80000000000000002131154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:02.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984A50509B00C954D237E5444DE6A113,SHA256=6FE2358DBC31E26872532F6875A4DF2E0A6B65E159146BB5A09BA4D5484E67B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:52.925{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62340-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:03.281{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE64FA3FE335D06DF397B7CE607B0B9B,SHA256=B36A9E116C8D65C13C93ECD3B51F7C58B4401E93739CDA6B9BD4F5F4978C8C36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBFBC920A82BED46A9641ABF9A06F992,SHA256=82257C761D3D133283BED362D8203A504497A45D8191585178185FF2565AB848falsetrue 11241100x80000000000000007542929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.443{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.443{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9EE490FC874BC1C80591A5C5E580C,SHA256=85358DF7FF81D916A97C578470454D4602E10CE4A466A4F85E77DA1456EF5530falsetrue 11241100x80000000000000007542939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE7478F4CB67EA451A14A81CF1B8561C,SHA256=2F061D99B85B58D326D39F673E4E207BC5216011BEC100AF8A646F343271A1A0falsetrue 11241100x80000000000000007542937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=328567ED1CBAC8CCDB8CCAAD7715EC53,SHA256=D877FF5EC6F1F977FAA12C189F3A0A327A2AE82CBFA1136A65E459AFACA31B2Efalsetrue 11241100x80000000000000007542935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24312F72B05B36C827811BAD06DFCCF,SHA256=E9A37FAA77E62B5809544C690C1F379418312BCC798A5678236AC87EEB15E039falsetrue 23542300x80000000000000002131156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B357CE6F0A2293A32630FAA64EFB4113,SHA256=49AA1A0AF82955DFE282245368C69CF5838E6E8C5D81D053A92A65EBAA9FE057,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E31B554C07BB0EF13A39CBE3B042E8,SHA256=FA414FF60CFE14C06D0BB864944CDC466B69CE30BD42C80A43D8651B755ABC42falsetrue 11241100x80000000000000007542941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:05.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:05.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3465FC2FAE06D077FAC5D768A0F2AE,SHA256=C92F69F3AFD2EF345CA8D024E79010C0B194502C4EA0476CE700710C2A3409F7falsetrue 23542300x80000000000000002131157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:05.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE85BCFA1E09CB13F1A33BE982C2EBD8,SHA256=9C3A2D9B8986CCC305D61FA3F381947FA12E7A44816ED6DC96EA61CDFA06F47F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1801C45C9DE4D1BDBB696A17CA4DEBBC,SHA256=39FC3644F9CF029B681E5AEF2C9CE2D75FD1EC3D8C07A271FC44BF7194B8CF4Afalsetrue 23542300x80000000000000002131160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30A8E1F0967A6AD1E0D3C7BC5C1ACD2,SHA256=0D0CCA4FBC05EA263BF3D6DE463EAFCEF768F759BD56CEFCDA606A17B2ECCC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB3B59AF0CC6956092A945B6C82686,SHA256=CE08F923D63CA129E7067F3E2658BE9667E1D71293497A2879A24360CE9F70DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8B69B80C320A84EC2D48B897E6C7DF1,SHA256=621971813F7539263C7FB7801A169C7A097B4E512124132ED6F18156A79006AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.127{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56736-false10.0.1.12-8000- 11241100x80000000000000007542947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410965971AC72E120826F027E7134BD5,SHA256=0B749112E5D1F7B24B4175D1CDD31A94E917F5EADA143298667D51106E070305falsetrue 10341000x80000000000000002131175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.905{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002131162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:58.037{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62341-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FFD36F9C3E350FF7B358EE6EF46969,SHA256=622487244D1F653DFC3547A731ED28086E9D6CC067D87B0AEAF6A6588F588B90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0D3A42118EE749BCB632054DD8CF7A,SHA256=5EB64B0977B90712AA6DAC958AB0B3E05E386D109C8C7EBCEA574D471F4C0B61falsetrue 11241100x80000000000000007542952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE097B04C84DF9D6BADA77A6F455276D,SHA256=98A037B5C366E18F51E424AAE900D5CB4BFCE8D5AE00E7A4D3DD12A2E34881D8falsetrue 11241100x80000000000000007542950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F460731828F54A13F7F5B77BD4558CDD,SHA256=8B58FFF39260B8BF3E7D55E1676860D93A0E4EE9CB67E227856A5834076FCA16falsetrue 23542300x80000000000000002131192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.956{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB3B59AF0CC6956092A945B6C82686,SHA256=CE08F923D63CA129E7067F3E2658BE9667E1D71293497A2879A24360CE9F70DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.705{AEE49BD1-90BC-613B-8F1B-01000000F101}54125504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.574{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.289{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682C4DC4878023793639EDC3C1A298BB,SHA256=56E7A916E8F97865AD440B0C4438F20D2587DCD8EAFCBA1C071A2C25D66E61A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.048{AEE49BD1-90BB-613B-8E1B-01000000F101}58285996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007542960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E52E59ECEB25F94F20D4461A39914AB8,SHA256=BCD7FDCC980CC12C54F36AEA32D1502D99FCDF0CC33E3B440CF52B9985F4C897falsetrue 11241100x80000000000000007542958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB4085065DFB16CAEDE6F9EDC2A10A07,SHA256=B449CF3F663083CDECF4CA04C177601692498EE1AA3ED17C3B756BBDA2582E04falsetrue 11241100x80000000000000007542956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB2AD60ABCDBA77F71533E3C3BB1E77,SHA256=B02623DAA94CD54A48B9C5C55375EFBDC5D8E5E692674B90F325F67BDB73D36Dfalsetrue 23542300x80000000000000002131208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.692{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9915MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.405{AEE49BD1-90BD-613B-901B-01000000F101}42084368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.353{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F8873637E8C4C99D6F1A480509EDF8,SHA256=401639442F68A3DC768A2CF849FE0DC0970C57015F6FF31E833111245A017E77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20EBCD1AB41A20C075E0259CF90F1620,SHA256=9CAFE16DD9CD7A74687D169BB7993776A5D7BB76480293DA2BD5A98E744EB7D0falsetrue 10341000x80000000000000002131205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.254{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007542998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:10.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:10.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B2E60E06D56D936DE74370CE510989,SHA256=E95C1E9C6377B539EFAF0F60A6AC7B8368621F3C5EB8EB40707E180B1BFE8F26falsetrue 23542300x80000000000000002131211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.691{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9916MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.406{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87047A99499FE704860F503F38840F20,SHA256=061E9787254FCFF0BCBC05F24A74907F968EB0FDA0F3732F694B7EBE658254B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.291{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2997DFB7A7A473510CAE2AA20867CAEC,SHA256=00421C128F67DE4E4F041C1842B4DBADCA7317A9636D40CA4416E9B29DBB7AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:11.592{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:11.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACCAF462DD3E0E9C6824AFE5F67A95B,SHA256=1FC12719AE5F08467FA63E0396ECEC862FCCA1541A5D04781869D2B8B05D1B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:12.493{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F8D5397750449EACFFE2E04F6A0B933,SHA256=42EB39DF3B02E64ACB138E2E237C42939DC42740055A74A4364D0E37A82847EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:12.409{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F16C895A97F8EAEE3CF039265378F2,SHA256=C8AEBD70666EA376D4021C6295DEE3F83236CEEEEE7F07B445896B79EDEF32F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD180F0814822A33E5A68402D75302C,SHA256=1E16DB6AA743A7D2A052D76D681B992C93236B3864D06DA0F4193F769D7FCB35falsetrue 23542300x80000000000000002131218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:13.410{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE4ECB0B9F27CD6BE91EF6317AF5B57,SHA256=336915DBBF15A69408010EE3CD909D7AA3397DE7466F7C94E23D7D04A1E47949,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85DA37F6CACE55D0EDD214B139997855,SHA256=0BF8DAE02F2F9979B4B2B47AC92F22E426B2D55BB476084365181CFBA95B60E9falsetrue 11241100x80000000000000007543002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F81865BCAEDFC5B44CA49A60AA821AC,SHA256=90FE189BA37F2AB01EFCFCD6B72E9130457D202831FD0B703A78286861E3FA68falsetrue 354300x80000000000000002131217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.367{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62343-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000002131216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.048{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62342-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AE2B49A936DD7992DC6657AD9C6A846,SHA256=EC30635F984301B6E0FCB76D1BAD4309471B85ED03D418C6DC976F26516D6F5Dfalsetrue 11241100x80000000000000007543011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B692493EBD368CD5AD81297C0A046F3B,SHA256=6F1B1B6DEC35EA02A5D8757C506C21237A88F63C36CB03941C7DD7BD36496A76falsetrue 354300x80000000000000007543009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.056{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56737-false10.0.1.12-8000- 11241100x80000000000000007543008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9E82A76678ECC0724382F73DC3F2ACE,SHA256=6EACA86DD760138E773DABDC058FACB44C42CBA68D01D8AAF2D5AA41BCF6126Dfalsetrue 11241100x80000000000000007543006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C31C1A182846CE0DAFF0AE9D5230516,SHA256=5A5CFA339B43822487F3AC5B8432F317EC91EC73FFD1E3062D4BCBE8C6D6A8E4falsetrue 23542300x80000000000000002131219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:14.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4112E564BFEFEAA472EC500C20F2C,SHA256=5C7A235493E2E7538011E7788D4070952718896B176FFE0DAE91EB3417B0ED98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:15.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:15.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDC27CD54E48E2528510B2AEB3BAD97,SHA256=FDA72FB7BBDC41F733DC8C10E5B115D35ABD718A18B4FDCEFE467D52B1A4573Dfalsetrue 23542300x80000000000000002131220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:15.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CF51E27FBD8CCB7A30DFDF1C27D52,SHA256=6DAD99CD8B77E64C9044B94AE8BCF548696845F360B2A75FEB0B7B4160487F75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E030890CF25A0332E1F17B9BE85D7C3,SHA256=BE55A1D75BBCE9821DCBF425BEFACA05D8B4A0906768CEE026A6DBA2AFA36FE0falsetrue 23542300x80000000000000002131221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:16.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EDACE6191A112DBFF3A7C942B7616E,SHA256=6BCB0746375C3E6770253195F98F436A3E6CABB7CB9FE42C1A7B519303AA86CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:17.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:17.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FD35974BDB201DE65DE5008FBD1362,SHA256=97E359259725B2FD7E1DB984F99CBB5081E298B1EA32A5A9AB3672F2F7A52F2Cfalsetrue 23542300x80000000000000002131222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:17.417{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF7DF7B9D2F3F97723CA18F7F8F7945,SHA256=86F1458BC76AB8C9D6D964397CCDCE812BB38F67C42E525B2EEFB4D4F13AEBAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.008{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62344-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.450{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0545B45C7B7C75E8A97785CCE6599D6E,SHA256=407C54AE90AD47B309480ADDEA59D62BDB6AEBCE8D5E7930844ADB1E526AE145,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A756CCF1CF271F4258A41B3F5946DD3,SHA256=502736753A31B1C27FB864CB3F29BB2A1DB57C0377C4E3861418CBE59650A702falsetrue 11241100x80000000000000007543021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28450EEE4670D7053C9F83722CECE187,SHA256=99FED02939F16B9D704E4B0B0F1F3E455E0526B8AF48F28C9985B21570BB401Afalsetrue 23542300x80000000000000002131224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C002C8111B7E9F5E72E457C01CFBC92D,SHA256=14301379BB441AF48AA4798CE3D5CD24D0D3E436B6A72C39DD46E67C09B0A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F05D068C0BAA2E24A6C5BBBC38D1062D,SHA256=08015A8D0C33AF32F28C33A21D8F1834C6128E2A067D8E3CBB28D032DF0BBB70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4ECADF1DB965FC9243C050EC40C841,SHA256=313EF0DEBB785598B92C46B509A5C588C8BD1E1C93F08C2BE3B334DA9AB12B7Cfalsetrue 11241100x80000000000000007543031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D0046BB3A0DA737F0B907249CCB0707,SHA256=ABB8075ED4C59BAC28CE17785E6B9307954280F9C7621EFBD6E05008BE5433FAfalsetrue 11241100x80000000000000007543029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4ECF0FA8B45864676EFB6B511543A,SHA256=CB03125B4782EA2DF6604AA60036F6B02CFE9A24A76BE1B1FCA27EFFE0B320B2falsetrue 23542300x80000000000000002131240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.473{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F39F77C81B640377E15D7D37A47679,SHA256=8A6A4EC56CC3DB13A8F89137499BA177CBA3ADD263CD3AE68B5C7CFD157C507B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.237{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007543027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=698168FE20CC9F3927EE1AA0BFA376AE,SHA256=5825D19732B15A7DCDD1A683531DA2F2B60AAFBE9ADBFACA6504213CBBB1CD50falsetrue 11241100x80000000000000007543025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963F038D0AAFB23F42DE8CA4AEFD4BD0,SHA256=DC60B664C7EE290D5CAAF88E46DFA50B9240AA0F2256558DC8A1DAD0471B9A56falsetrue 23542300x80000000000000002131242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:20.490{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4662BFF08F469E9803A84355A1F892,SHA256=2CEBFC98B6B71C5E720A35C64F1C3A1CCF882188248FC7A6CC51BF17A0F0730A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.029{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56738-false10.0.1.12-8000- 11241100x80000000000000007543035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:20.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:20.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA8174C9899043C85A5E4156998F0F3,SHA256=29A488547898B7EE2E67C7D818F20657A8C975EA301F4455C1AB890140724F4Cfalsetrue 23542300x80000000000000002131241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:20.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C002C8111B7E9F5E72E457C01CFBC92D,SHA256=14301379BB441AF48AA4798CE3D5CD24D0D3E436B6A72C39DD46E67C09B0A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:21.491{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA4C281779DACC96002850EA3D2BA2D,SHA256=D7B9BC4F198BC26F60A304CEFAE856E2E5B7CBA92DBBC42388661792A13DD62F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:21.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:21.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D60708A67133540B87F2F1268DEBA42,SHA256=A0E0719113D51C6479ED7F68C7FB04F1BE1D42EA1355F17FE70EB2E9E21E3838falsetrue 11241100x80000000000000007543040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:22.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:22.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312CE3CE357478A8D70E24F4FDAFECD3,SHA256=8CF335E8E2CB6CA3A0453CEAE40432E69EA61CE491559D927D26513C3A1A8A2Ffalsetrue 23542300x80000000000000002131244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:22.493{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B867096804683F48313739D2546AA20F,SHA256=15BEFF0914C6C535A3A241F0343873C5BFC82959305352174C2E8B0995A5CB9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:23.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:23.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C06066AD90AC8E5BC908C58C67139ED,SHA256=9210ED9DEF0E191E1A31EEEA18EE068270FBA60A11E90689F2716976CD85C756falsetrue 23542300x80000000000000002131245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:23.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956593D66AD6909F6245EF6245DA8D0F,SHA256=DA0F3AD8AC7FE72E060AE29511799C253183F437661D25C1B8F8B0D384096147,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=650FC3789AFAED8809BC83629A9EB410,SHA256=B67777058619FCC8162E9040497D4A3AA6A23335E0A7D0D2638439DA077001BDfalsetrue 11241100x80000000000000007543050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.852{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.852{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C890BD1A449F15CE5D4542F4D7F2E149,SHA256=80198FF0EB9C6B438E951ED85925DA845387020E7DB6B2F73FC0BE28A1E79ADFfalsetrue 11241100x80000000000000007543048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FF781630EEDEF78B852F69B25AC6A6,SHA256=61911D4F35895B49E1EDD28CAAADA2C719484F3E7A2EEBA1C96924CEBF846224falsetrue 23542300x80000000000000002131248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:24.496{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2914D2C12186AC0E3EA30EA8FB3857D8,SHA256=DBCD19B5326D0A7632094BB866F139C140141A4432A26D3183E83021F536EB93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB99AD8EB0B49ED0053EA798451116E7,SHA256=5DDA3D4DC3F9D76DBFE3C8DE09295D9F11A7A7B79024893AF64298CD6016F47Bfalsetrue 11241100x80000000000000007543044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=698168FE20CC9F3927EE1AA0BFA376AE,SHA256=5825D19732B15A7DCDD1A683531DA2F2B60AAFBE9ADBFACA6504213CBBB1CD50falsetrue 354300x80000000000000002131247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:15.915{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62345-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:24.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787295BF27BED6E09958BF1BA54A8093,SHA256=8FAF833C73D5C35F700CF842434171941B51EC53B784F411398E04FEADA2C3EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32779F515A62B1E3039783106CE6BA00,SHA256=26F785B010C881AFDEC972AE91915DEEA28D2E2505C487D6CBB797CA8AD08735falsetrue 23542300x80000000000000002131249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:25.497{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9069CA346B4357A58D7643E6D0C0E35,SHA256=9B3D4B50C91D616E3E46E58CACB2ECB446DC38CEAAED41C4B411FD96FAD129FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326DE87A53CAFCAFA0A080F97CBEDB89,SHA256=03702F492C0968334DD3EDA3DB4ACCE90D820ECDA0DBEEC225E01F973919F7FDfalsetrue 11241100x80000000000000007543062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC42BEEE97D9B404EA031BF527C35BE,SHA256=525597C00083F74435B0C0E5440A414FBEA940B1CD8C11D51AB907B7A9149B15falsetrue 23542300x80000000000000002131250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:26.498{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665330EE766D577190D5E9261000B03C,SHA256=A0DDC0BD0858E7582362AA0B51C54CA007A27D378F128DA9CD9EAB8AF82D9F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.973{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56739-false10.0.1.12-8000- 23542300x80000000000000007543059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.015{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9924MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007543058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.014{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99242021-09-10 17:07:26.013 11241100x80000000000000007543057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.013{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99252021-09-10 17:07:26.013 11241100x80000000000000007543065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F602E0BD9AD06180676118CDC9836BD,SHA256=28A921C8A4D6B3AA56BDD000308EF151E9B2CD4785AAE66D2EB2F9137603D6A4falsetrue 23542300x80000000000000002131251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:27.501{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907A1331B75738D212957129750340DA,SHA256=DE4DC2935C780EDA48321C17E32EED94E5B8E12859B92E0DF982401A54ABF3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007543063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.027{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9925MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007543067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:28.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:28.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F54FB15DA48605F3D7F68D649F6B88,SHA256=BE8FA591069F04511782C205AC059435C2FAAF807B3A946DA529E5F998D05C27falsetrue 23542300x80000000000000002131252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:28.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C729F73114ABB571BBF0BD16E29FD8C3,SHA256=8214A13CD45D015E0A0AEAE91D4DBA64A46E8C69CE1B191326E84159F08C09FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE9638703EF7C184A1C6C2CFC1EF77B,SHA256=C0FF6867ADE0CA4F7A9AE3A0A8289829CA90B70F7194E8803417DAEB383D98BCfalsetrue 354300x80000000000000002131256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:21.023{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62346-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E154A02548534D4A00FF327102FF45,SHA256=A8EBD87B3F3AD6F45CDC7E9831621AF480DA223FAB4351B86B19721FCAF81E2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E164D77FC210F34F44A28CE0F204E2D2,SHA256=1E33C2F7C40B51A18C73D05768C283FDE5E7583667C1EEEDFBA1A638A4C15AB0falsetrue 11241100x80000000000000007543069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=064D56DCA4103690B2B53455C755FC50,SHA256=57659FFB764F251E2A40A14E9DA093A3D63A7D5BACC532AB0E557304D3928CD3falsetrue 23542300x80000000000000002131254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E5652B6084FE22ED7D6A1286AB984,SHA256=587934FF4EC4CEC81D6D6398FD1DD416727C9FCB7B7E059E021BD8269A4ADE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B044CAEABCE6F24F900415413F311AA7,SHA256=2BFBF6A9C33C30DA5DB8A4B34524EA8CCD2D048A068ED003E124A4B40D87A614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:30.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F47ED07E33C3CE85A3B12C5DC1C576A,SHA256=09E43B04DDD1BAB4B7D716B5435E36E58FD8B0CD7E73F71EB658510B5F6D76FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF9AD1AC515349640F0BEBD38085769,SHA256=920788159715B5F76A2623D15D06EF6773C5EC4ACAB43E4E862CD1D65397264Afalsetrue 11241100x80000000000000007543077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54BA059CF70089119AFFAADC392BE268,SHA256=4ACBC96C84228B62D1522500BB207371D62349F17457D2F27F1F1E9E66A6CE9Bfalsetrue 11241100x80000000000000007543075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA17C322E5C4DB6B4F7349D7FB147C20,SHA256=9022096B3EDD037B46930B72130C0D2F92FD565A25728A2692F1C89089B3AB7Afalsetrue 23542300x80000000000000002131259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:31.522{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF0D2622197EB1267220E698185D73,SHA256=A9F8CB74F8CF3691333F7BEFCEFA76105F1956C45CFCBC156D2483AFED6F64EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3CBA8B5BA93600AFB97A1193F98D4A,SHA256=99D338E351ABA3F0464A36712C25F891DA7DE3A5BDC97624A3EEBBC01034418Efalsetrue 23542300x80000000000000002131258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:31.122{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3A30A53BF969A1713DC4EC40C9D750FB,SHA256=DAE92D805351BFBC0740C717FFCB35E5659F033D383728F8669ABF2F8FCB8DE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D3C919EFEEFFDFEBB4CA7C7B0B28872,SHA256=49DAB26E4322992146B9912E8759E9A03CEECA589C6A60B34CB8EB1C2B91F2A0falsetrue 11241100x80000000000000007543092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04DB04FD00E698F4F74BE60D70D9E7E,SHA256=DB0A4283EF9F8CA16A939685CF432B971B32A44B17DEBDF5EADCDF99607B220Ffalsetrue 23542300x80000000000000002131261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:32.525{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F6DDDD52C09D279665F77D8690A589,SHA256=ECDD13C70446DA2BD1812DC08389965136C084AC1CE85B7902BABA2029B7F556,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002131260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:07:32.309{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a666-0x57f2566b) 354300x80000000000000007543090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.996{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56740-false10.0.1.12-8000- 11241100x80000000000000007543089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-10 17:07:32.504 11241100x80000000000000007543088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-10 17:07:32.504 11241100x80000000000000007543087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-10 17:07:32.504 11241100x80000000000000007543086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-10 17:07:32.504 11241100x80000000000000007543085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.320{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txt2021-09-03 20:49:00.201 23542300x80000000000000007543084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.320{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txtMD5=192980A0CF480AE714003433BACD0EAF,SHA256=04CFA5EF6E36D9293CDED9306C687A4129A7C44BA0E4FDB83785B19B4B382DBCfalsetrue 11241100x80000000000000007543094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:33.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:33.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C40A61B0D5E0FAE6D69248E0B180C7,SHA256=14658134EF5E6BCF904996F207E729FB084989AD9DD6A53022F09CFF11092A90falsetrue 23542300x80000000000000002131263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.526{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6D397AF7DCA4C8F58F7E871C347BE5,SHA256=4CB3BA441D6C6610A102816A961312A4DC02A1AB2540B96F5015B21E18FBCB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.257{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E5652B6084FE22ED7D6A1286AB984,SHA256=587934FF4EC4CEC81D6D6398FD1DD416727C9FCB7B7E059E021BD8269A4ADE5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68C216628DA04CD4BB8EE75528F5FCC,SHA256=D1935F4C519C25BE9101AC32BFB4A65099AF12ABB370AB0C35E25A53077ECD34falsetrue 354300x80000000000000002131265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:25.030{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x80000000000000002131264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:34.528{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F94B7923517F4334DD7CC1E6455BAD,SHA256=0A34D2007DD6E2CFB3C0DDD0CF4740C168532069385A48833CA1027A640A0AA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=593E9373B3510A402D4062355E9E658C,SHA256=B599A1DD2CACAB9367C86BF0E90A52DE73504DB1D04BF39C37D77A0E3547DEC6falsetrue 11241100x80000000000000007543104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A64A7ABD088784DF7553110AF8B3A7,SHA256=7A8A1BD28050B3F978CC7E1A2F4839189D5853233F74C7F00CA285C7FFAA13F6falsetrue 354300x80000000000000002131268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:27.034{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62347-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:35.545{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F3D198C724E6E757A703310D408D92,SHA256=ECA959DBC9EF85DFB68EE798F9EE56C10BE733086EACF48DD643FD319F34FE7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC92145BF8D11AC144CA9EBEA8124DE9,SHA256=FFFBC3576499FDD1DE4E8978F67D12416AA5ED6386CDEA84B852D1C8BC2342A6falsetrue 11241100x80000000000000007543100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20E4E20D72BCBE7D78599663DFAEC94C,SHA256=C3A73D41C88ABD61CBFC9324D4B9AB7A7E245DB98B553C3013533FEEAD98A9E8falsetrue 23542300x80000000000000002131266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:35.276{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43CEA70BA21C7861B7E98A056927B58E,SHA256=1327FC73A1A000623581F5403C0005E059E76C09F6FA1CC7FF072568CCC0A692,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:36.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:36.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3483A0FBE83B17F12EF55D7692CBCEDF,SHA256=16F5D87A2106DF3EB420F7B58B35CF9A7AEBF71D0F7679D19218605B10C921B7falsetrue 23542300x80000000000000002131269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:36.562{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FCB693FAA207007A60E5868C5E33C1,SHA256=973D876B17E998FD2CC443E893DABBA94CCCA9B4C6A3A328CD02F3A2A8E45134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BE5362CB194C92CC5B367CC161FB1E,SHA256=D84A041691B0A1325FB48AA7E584407CC4BF1B2F728A3AFC048514E91A15E999falsetrue 23542300x80000000000000002131270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:37.565{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DFD6A011AD626B90E4755FEFBC4869,SHA256=9581836A6E05873759EB40713A700E5441337CB6EE02192D1614CCCFA065D4D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.906{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56741-false10.0.1.12-8000- 11241100x80000000000000007543110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D28C75004619F729FB3CFE21D1DD0879,SHA256=5CCD5113A986724F5C3FC9F8B964011A23DFD7EC81A94427236D376CA8A588E0falsetrue 11241100x80000000000000007543108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5437D70DE0ADC573F242A5F7664780AA,SHA256=1580B0BFB38BF4BF425522B0FCEE7147E66EF2171F3777380157CA30AB9FB270falsetrue 23542300x80000000000000002131271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:38.567{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41177EBF45EBD740738F49B12F377337,SHA256=E73E8ECF671D1EB5D94CD0B10DE8361A8250FDE94F206E8136AE003D22C27886,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:38.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:38.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FD1D07F482153723331D3D0D5042BE,SHA256=F4C6486F427A3CA93F5B2F42F5D40F04DEC551756BA40234B8D5A5A788F9945Dfalsetrue 11241100x80000000000000007543119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6B9E4CF4E381B7347B7BB1C6910996,SHA256=B10AD9F5E2F6B05D0B85B65A348EE732814B651E1AB68C9E3C18E25497D21F34falsetrue 23542300x80000000000000002131272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:39.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB728BFCAC6C728EEF10CBD6894FEF0D,SHA256=D7C67588685BAA7AEF73970BBC28A14250C5231DCAF4A1EE3E053CEA48800965,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF59B419152DE3D3643DD713F94BBD27,SHA256=3E37CEC1BA1CEFB0246A88820D7326204DAE4626D2C399C683087A29FD14EB53falsetrue 23542300x80000000000000002131273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:40.571{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77165753258507683A2A0050DA29D7D7,SHA256=74F33675E54D34A33F6C4971DEDE6EAB4E7591C726EB01D205E884DA22946922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E656ED4F0FF1A31B5004070293B3A90,SHA256=DB980AEAFE0A0195ED52509C608C859D83F1377F3F46BE2305A2D5CCC9151EC4falsetrue 11241100x80000000000000007543121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C5E275C3F278660E0C2D0A4D2EA0306,SHA256=FB3C42F074C6332A30AF6ED9E65A50AA03EC5CD9681A4DC7FD0A8EBC624DC4E2falsetrue 354300x80000000000000002131277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.015{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62348-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.606{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6892AE716197E19DADB72E7B58C6C8,SHA256=6317D813CD261A4E787C88BD8F3B17A07DB99461D8DE9D381E4EE0EF652E5C2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:41.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:41.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8491269D73ECCC0720D96D6679B969,SHA256=B7F319ADA7C70D1575172976A7771D30CF9509E96D7A3A6B5C7193D26911B200falsetrue 23542300x80000000000000002131275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887F7F28FA3E91763C6EC2EBDE6E1AA4,SHA256=825F62763D29E9ABF91D3E65BCAE151927CD43BD73A22C14F6AA45A0F32B6EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4C0CA3A091327AA5D41E705E8BAA1F,SHA256=5AFABE776F0BF6EDD06E3D8F6AD759A28609C73749709FBBF74EE00EE80FA0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:42.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CE272C2B88B7F153603ABE9E9F89BF,SHA256=F0566D4596ECADDF147ECBA19C2A2D908FA219769BB9DF12FF677806EE1A050F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007543133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:07:42.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007543132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:07:42.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007543131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979727906649BF421720DA9818B94255,SHA256=73393AF9718D4CBA14507B63169047123C13E411C155E77A532D4941F7B0FC11falsetrue 11241100x80000000000000007543129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D28C75004619F729FB3CFE21D1DD0879,SHA256=5CCD5113A986724F5C3FC9F8B964011A23DFD7EC81A94427236D376CA8A588E0falsetrue 11241100x80000000000000007543127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A25747D5005485A7C4F8D02E18E617,SHA256=7445D259F77363723C1CCC76EB393E72E235E366B5AB3A1563E339F723DC8F41falsetrue 23542300x80000000000000002131279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:43.675{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDF63337AF379DC5E3A812D551D5DBC,SHA256=F09E79DBB282A7D3C3F0C16983111BB958B685F66A58C703E8C5333D97987A2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979727906649BF421720DA9818B94255,SHA256=73393AF9718D4CBA14507B63169047123C13E411C155E77A532D4941F7B0FC11falsetrue 11241100x80000000000000007543136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3023A728D598CC432F9F4A1E999CD54,SHA256=86B0AEE7E2A5690A885AAA908FE6CCF3782B9A437F1D18EDC52013E1A0379B9Cfalsetrue 354300x80000000000000007543134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.096{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56742-false10.0.1.12-8000- 23542300x80000000000000002131280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:44.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1422FDBEC8861D3D9DBA61B0F99ED1A5,SHA256=295C3185CD603F5916783B174661891F840B6D38B75436E7DAA8FEE2AC70A2DF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.940{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.940{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}4246108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.819{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.819{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.818{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.818{4DF467A6-90E0-613B-6322-01000000F001}424\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.788{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007543200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.521{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x80000000000000007543199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.520{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=1201A3EE08A0DE851B74948760D59DC0,SHA256=503089C5C43FDB1197AEC8E6DDF376E61E06438D713B58BB068C248C9A0A1129falsetrue 534500x80000000000000007543198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.257{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.257{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.241{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.241{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90EC513D3B5F8456BED8EE2C2BBE08C9,SHA256=246DAE532874A72760500C30895885767FCDC04FB0684C91F74D6698E55E7116falsetrue 734700x80000000000000007543192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007543155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.119{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.119{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007543149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.089{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007543146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4484E989721B3F0B08764297F215C4F,SHA256=1DF058EB6A17ED2A2F8BA2418C449A63A6B1465EAB2E039E300874EB961EFE84falsetrue 18141800x80000000000000007543144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:45.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD83BEA53905E20B23BBD9DA6B11A4C,SHA256=5EDDA0C4F8D553A21CEF32C9D9BE699D9CDF4D861FD5A4401542B5486EC01D16,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.455{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007543309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007543308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5000062267767DC3200B2521DB24DFF1,SHA256=F659FE2106D64AB5691925DFB50072C68F28864E2D12CEAE24C399BA73BA6095falsetrue 23542300x80000000000000007543306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B416229C0CE0502105146C998D48406C,SHA256=3D5300D0E05AC1DC6538CD1354DEB7C05AC70A1B5A7DDDCCED41BB4A6575E624falsetrue 734700x80000000000000007543305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.318{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.302{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.302{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30376259340E489302838AD652F7C424,SHA256=FDA23FC106A7249795930B0C51529E7F248834E8A8068D24CE8AED471DEB0001falsetrue 11241100x80000000000000007543262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C1D4BF4FF8BB7C70EC7E4C913D76A3,SHA256=FAAF4707317213AD2E72BA20758FA4BDDB9FF19B696D6974096A5D6AB695AAAFfalsetrue 11241100x80000000000000007543260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D319E765C3F3A31D2C8AB6FA0B17B675,SHA256=C9CE9560C7466AB27988AC59E7F7B7AD7FBBBE42F62E81CE7AB0CB15A270DB83falsetrue 354300x80000000000000007543258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.715{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56743-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007543257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.715{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56743-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000002131282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:46.750{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80536C0D69941FCA37C4111D28FDCD,SHA256=DD4D59853E01F1DDCA0167CD2ADEAE1ECE8BA0AC1ADFA6EC042AF2B5A2903E08,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}76925348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.822{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.822{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.738{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007543439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.738{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007543438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.717{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.716{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007543395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.686{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285F6F383B58747B482327F9F887D7F4,SHA256=5F48ADF5D622204DFEACF8CF9A8444E96965C9048E387700C2104811B110FAA8falsetrue 11241100x80000000000000007543384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC0C59BACB6715E82DAC3CA077199B5,SHA256=9DC1547612E324B67EEB9F35F5A81DAEFD62195A8DCDA255D5B82E3C45AFFD67falsetrue 11241100x80000000000000007543382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B3F7B3FC7104BE3FDEA1C6D1B196D8,SHA256=CD7923341BB05610BDBACFAE753F907E070E703D582513FA3E883E3E3F4F189Cfalsetrue 534500x80000000000000007543380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007543379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}51486332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007543372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007543370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007543338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.020{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.018{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007543333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.018{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.017{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.002{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6974910EF951592169A89A4C6E3C44,SHA256=0DC83BEFE3459A24FA2169ED00B3652F46905CF671535571464582F46AB2ECDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD9FE3B327657DA25B2F51724A17594,SHA256=766C75397FC8A2D7D9F0068DE36A2B2249C38CA496F093D3B371D485233848B2falsetrue 11241100x80000000000000007543509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE509835061C55B553BE21AE25ABBF,SHA256=9E67436F20AD6FC9B360220E011614ED20F295A715AEA941C09C9EB540D1DF3Cfalsetrue 11241100x80000000000000007543507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351DB768F77C78B672045420B66E9ED6,SHA256=D00AD4C752615795B98DC05A94BF1B34E4C0CD637E440B8B2C01D724B78A742Cfalsetrue 534500x80000000000000007543505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002131284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712B7E232D197D121EF8A1FDB4EE1016,SHA256=95874FA17B165107E95C1E2993540E5188245ED265BC59956FCA5F0FD7B52DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887F7F28FA3E91763C6EC2EBDE6E1AA4,SHA256=825F62763D29E9ABF91D3E65BCAE151927CD43BD73A22C14F6AA45A0F32B6EAA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007543501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007543490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007543468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007543465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007543464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007543459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007543454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.369{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83501EBDC6D4EEA4EBD020F72360D6BC,SHA256=C28441FD419973D851B0DA01E78F3A1DB2D6708F3303F59B4EB46204A751F9ADfalsetrue 23542300x80000000000000002131287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:48.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B623930171E953D3E12BA543B55BF111,SHA256=177DB7AD78F932D40D12DBC20AF5C0FFA876D51990712342408AF28D35234329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:38.956{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62349-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007543568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.219{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.218{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.217{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.216{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000007543564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.589{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56744-false10.0.1.12-8089- 734700x80000000000000007543563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.094{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007543546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007543525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007543520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.063{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.062{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:49.801{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C26E1DC5E8C566A6728ACAA623DD91E,SHA256=450A3BD9D9D31BEC959FC5B7CF09342FF677C29495030B60565F1BDA5585A6AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AD57C89F9F5C4E3F9F8C12AC3713D0,SHA256=3EE59928C1094971004652A18F1ADFA1B8865372FC6CD1308679D2647CDF7372falsetrue 11241100x80000000000000007543575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A010A91C23BF3ADEF7376135712C4F12,SHA256=4C85D0C82D93F3F7CD75B7FA5953D3A4C4CDB4529691AA44FF1FA605846D4843falsetrue 354300x80000000000000007543573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.976{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56745-false10.0.1.12-8000- 11241100x80000000000000007543572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3378C6FF645A3F1DA26957D46F39168,SHA256=3B6EFF899F26F99348CC2875BA123CE623BB7E684C868B8C97F21974A40EBD4Afalsetrue 23542300x80000000000000002131289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:50.821{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159D86B742C1067CCBE3785C495C50B,SHA256=72F356936F4374164745D00C9AFAD69594B0E0B0AD6EBB613681ED0C8D985ED7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64A9271BA2370CE8F613DBC768B2688,SHA256=FD04C2A7E6F040EEDE928958CDF3D825C23BC5ABD8F554A1E2A46E5C9B55745Cfalsetrue 11241100x80000000000000007543581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A250B3094FB367B49A23C6B7F8C4D6E,SHA256=A20D77CCFD48AC9A67B258929B799DEC38188FA7CAF6F311579B142E4A524D23falsetrue 11241100x80000000000000007543579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F62A134765C66A422346F4B41358F36,SHA256=92DD1FEE85C57965A2B99E62B7D14621EBD34D382548E1C4D5BB429189D96CD6falsetrue 11241100x80000000000000007543585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:51.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:51.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF5BB7A78480B23E15AD471FE553EFF,SHA256=5D6514D7D244BB8C719CCB82A46D88992D856B4C7814B2C4F6E4F05204CF67E2falsetrue 23542300x80000000000000002131290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:51.823{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408285693C59FAAF31BC2F081B8C4FA3,SHA256=A1F1DE2FDFA5A0D17AB31584097BD0C62C26099D671EB89AE0C6ABE6B319BF80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:44.013{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62350-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002131322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C961E7E35ADA0103CF790FEB988BAA46,SHA256=5FF663B7779B014FF50044A47D176B35153F7C67F2B64C71C8EE3446C66FD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6555B128FF3BEF095B23A3F7111CF7B,SHA256=338A210048412C9CECBF52CE47EF3206D24B27FDDD28691379ED328244C5EF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712B7E232D197D121EF8A1FDB4EE1016,SHA256=95874FA17B165107E95C1E2993540E5188245ED265BC59956FCA5F0FD7B52DF8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E143DE60D4009EDAEE41ED6B8BB050,SHA256=3D7F813C83BCD3553D77A88DFC6467FE5A3CBD75BFA13CE58B11AA54A72B2CECfalsetrue 11241100x80000000000000007543587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15836DAD1F464CF8004653FCA9915441,SHA256=573CA6DE0B19AD1AD096D4A97C17423EAF940F9CD59AD8D7610564889C469FBBfalsetrue 10341000x80000000000000002131338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.780{AEE49BD1-90EA-613B-921B-01000000F101}9285456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.649{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1316F7D26521A585330EEF76C3675F46,SHA256=CD3954040788A65DF30EC3E654AD7D238593AB458D8A8A315AA710E3A167285F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D49310F9FE2693B9859AFA1141DA835A,SHA256=7881181B8F8DF4544E3395F93B964A3E7D1F50B77BF8E3A4D0CB4BF5CE4FE4D1falsetrue 354300x80000000000000007543592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.001{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56746-false10.0.1.12-8000- 11241100x80000000000000007543591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F602D5657A2B70DCB33862187DA004E,SHA256=9BFBE3F1D0F10BC7053DBA1D54F091171BFEF6C8C1F62B7B770FE66315592BCBfalsetrue 23542300x80000000000000002131353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6555B128FF3BEF095B23A3F7111CF7B,SHA256=338A210048412C9CECBF52CE47EF3206D24B27FDDD28691379ED328244C5EF40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.330{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C75B9C4FCA5FE50003923A66971A42,SHA256=ED707452E560B5CE95762EEE191124BBA1C7CF50F0448676C0125E52BA5D58C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD062403FDD77008998D7E88227A21D4,SHA256=F3AD3D0E32C47ED1BAD3D234E3E7A7FB59B309E9DD5893B91E656E787A12DCFAfalsetrue 11241100x80000000000000007543598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81E0037BAB475B5A3C05BC99130C5CEE,SHA256=A41DFC7801C14D4891C5B3D50BCCBF0733CBBB316EFA32777A9CD2EA974DA348falsetrue 11241100x80000000000000007543596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE4E6DDA4368EF99F0783D4E14A7495,SHA256=66D4ABBC1B6A640986C6ADCC62606975DD75B8A77507D0740CE576E55E0ADC8Bfalsetrue 23542300x80000000000000002131367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.766{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B296B9A47D57D8E1510E67AE916A1F,SHA256=92EAA08E409C3EE84251AEC17B85A5D5289986F52B322E0CD9F9BDFCBD5E0D4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:56.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:56.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F24FE0B83C8C7D6394CC7647DCDED4,SHA256=CB8421D1B344CF607D5C92A39626C987EB793CC564128B17F341A872241D0395falsetrue 10341000x80000000000000002131366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.032{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.029{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.029{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.013{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:57.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4A6240F979C7E54B784BAB183A3E,SHA256=5657FA3705296C2680DA5528C89D7408F82EDBDA4F150C7F1213B8ED7CAD36F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:57.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:57.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B2DD9F60F871E868F0FA0583A59D68,SHA256=5F055D21DCB993F2BF6DEF8A58C70E6F8328F8AECA17A4CAF00113E8EFF0871Bfalsetrue 23542300x80000000000000002131368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:57.031{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325C39EBF20CF00366DCA7C4653FB8F0,SHA256=B1AD5B49CF6B0F2649A2C1AE5D7BEF66045280F3D7ED21D6E4BDB0E3D71008F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:58.816{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D0F508111D3E13FB4BD9A29406A689,SHA256=E688CE12CBDC525943B8A3545CAE9530A238F1EA9CB8AAF476691941D74277DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484A8A34405DEDEA6C6750E371FCDE1A,SHA256=4810ABF75E4E79FC0E299A368EAD279BA9E2CD6B66F7580C9FC87C21566A4AE8falsetrue 354300x80000000000000002131370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:49.019{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62351-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.499{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007543605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.498{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C90AC667F0654996212055BA8C71F9E3,SHA256=10127D64BDAAE5A96268B165F0EC4D3D59914404CE3E3E2C28488E9FABC8F6B9falsetrue 23542300x80000000000000002131372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:59.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C930ABEDEC1377B16E7C8308621A69,SHA256=D25A96A8FAB6D896B7C05FEA26EDF0FDE049624F7D2B1FF080BB8E8CCAF745E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE09F0F406C295FD45F7857B53DEDA5,SHA256=33DFF4E47EC22FC6C050BB4742FCC6FF4481AAC0A4E0BB7E581E16FAE9B1270Cfalsetrue 11241100x80000000000000007543614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B0A38E039EF2FDA5E6E58B492E015E2,SHA256=DA0D8753AFFD951F01008A9057A334B598C1EF8059DB02D4157A6F41B7BF9A03falsetrue 11241100x80000000000000007543612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC8D0FDE0C8603935DD1423D8D92ED2,SHA256=92B9F3E7B3F6B6F68D546E192012C8408AFC0EC671E142DC02BC01F80974D760falsetrue 11241100x80000000000000007543610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=496CCCDE41B02C27B12F0B3EEF4109E4,SHA256=A66FA519CA2C9F8EA9D608AFD688F1F6A1C1152163428CFF7429E8BF2AB2449Efalsetrue 23542300x80000000000000002131373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:00.839{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB06544D6F1E0E1D7FFD5854CEE704A,SHA256=0E7DA2E6685401CC8C80546BABB61D92558A5075F81FBB2E333334DA1F876B6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CA498150352AC3B101F35CB7ED3D7E,SHA256=44394591BBD3E8011B7C30C5A621FABE72D680CD5940D30AC16F96EBB6313DD7falsetrue 354300x80000000000000007543621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.954{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56747-false10.0.1.12-8000- 11241100x80000000000000007543620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37DB81182B0FC04B3790856109E3EAC9,SHA256=A3B3374EB58CD99F25B85665434572EC4C61044FA5B2E4604C046BD909DABFB8falsetrue 11241100x80000000000000007543618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24A9E0AFB8F23315CFE3BB879EB8C6B1,SHA256=0B062048947917F1D6112AC1CF86738E0819C78656029F7CBBADC4390D5EC0E4falsetrue 23542300x80000000000000002131374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:01.860{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F864FFA4F3E006D51CFBB73B9C1766A,SHA256=9EAD9824F542911FF50ADD404C94483CED84E508D9F89211821530AFCE252045,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:01.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:01.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39571C2E4B09CFBCD88D4FB337BAD00,SHA256=88CC3382167DF49DCF8ED3B27D3B6986E9393FE49A511C1C891753304556C91Bfalsetrue 11241100x80000000000000007543627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:02.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:02.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16DE62A44454B69F2336138F268A90E,SHA256=6ECD0927F836578E697840504ED0EDCE22F3AC85512074B78EB33A0A47231198falsetrue 23542300x80000000000000002131375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:02.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E203318B30FCFAF9EBDC145A92403994,SHA256=2865A9386247DDFE0AC8CC38A79D91B1D5F8B63D983A8F53DE4A63E66E9EA3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.878{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874D05A64DDA7E8200EF88103DE64353,SHA256=14414B26BD243D31F0652F20C5BD7054CDF53E802BB15FBCB6182033CF5D55E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB77B9666E1D193E4E52C77962A59B7,SHA256=1463EC649C1C0D1117B30EA8F45174F7C9CDC92269F72082630DEAFC19ED36F1falsetrue 354300x80000000000000002131378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.928{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62352-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9761C717E608888971992324916E3BE6,SHA256=B155E70E50E56019F49ECCEA87CD6695512CFCF69722CC22AE24DD4BFA2DFFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D48F453D057363EF4B896AF7021D00F,SHA256=500CE3131672BBD18A460135A22777A8AD33DC3818BAC3C0EF0AAFC00D8C86BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:04.896{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5094E736A5AF43DC20009F70125BBA,SHA256=7FCC937F3668D267E988C8734F229FE2DA767704C230E19A3E28C911B078F2A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F33F3DB46F9B95CF9B8996C5BDEB00E,SHA256=2C1F0CBBBE24FC1C227FDB918C9CE20835F7F6E546917F195BB551BEB41B833Cfalsetrue 11241100x80000000000000007543635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB5838C2ED8F5964E03C89FC52FD7C09,SHA256=E6D366CC38BC7A3CE7DA95CC73BB882391257BAED42AC0AB0047691BE40835BDfalsetrue 11241100x80000000000000007543633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA2E93DFF85B02D32611A106F98FD21C,SHA256=3E3B835E0CF847029D888C43FA9B03312073239DC1EB9282B2FCDD49AAC1C702falsetrue 11241100x80000000000000007543631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC8D0FDE0C8603935DD1423D8D92ED2,SHA256=92B9F3E7B3F6B6F68D546E192012C8408AFC0EC671E142DC02BC01F80974D760falsetrue 23542300x80000000000000002131381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.897{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE645C6C3F4CB76E67B31BA605A46B3,SHA256=FB3DA29835F1DD0FAD4210605027969E1442C5EC768E6C16CB54820402F4903E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDB4FC8FC202C8729EFA085E4389484,SHA256=42B3C65C1794B05E5D3157FB4EE0F57E878DF2E76B0183C7DBAB3605C26E12EFfalsetrue 354300x80000000000000007543642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.915{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56748-false10.0.1.12-8000- 11241100x80000000000000007543641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6C1768A07DEDC7985981F7CAD1397C1,SHA256=48D28C668E3E0B3F5799072CA5725D05A349C95A5019C21819887D8BBC2DBAB4falsetrue 11241100x80000000000000007543639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=279C6E02BACC452085B9C5371F537691,SHA256=8DBC125D39736ED2AC9B7300CF0B0D148883DD3763D1FD84F07FF929AC83760Ffalsetrue 23542300x80000000000000002131382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:06.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D82A1B2ED61614C25E228AA23372692,SHA256=4FC8BD3DC0509E597D8B74CEC7455885745A57B8C3FBB7163E40ED8EB7774662,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:06.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:06.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1292198BF0A9C759923465EA30DAC6E,SHA256=6E11D83F2FAA3ED8D2B278C15125340D38AC41933D37BD945BED4DB8128F2452falsetrue 11241100x80000000000000007543648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:07.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:07.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6074061FD85677BD08C93CF97AD85F7,SHA256=350C04FC94E19D9951BB59C2768132612F5D13B70957A8B5E61D5CC3F089A11Afalsetrue 10341000x80000000000000002131396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.901{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA870F37DB2D7124961A7F60D1E7C309,SHA256=652F85DC6DFA07EA9C01F1B2B6BF74356B10C45A66E5893670F4147250E22A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.984{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552DFD5C588A3A6438305B943536E936,SHA256=B94177362DDA8CF4EB727E287FBE9B1A47F91412837F08384E13C7E3DFF19438,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:08.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:08.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABE30EA38DFD945188675283F8D0543,SHA256=C0EBA1AA19ACAAC38FB91FC3CD88D5C81D94D970B150E1099B78009C99190475falsetrue 10341000x80000000000000002131412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.716{AEE49BD1-90F8-613B-961B-01000000F101}21843648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.585{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9761C717E608888971992324916E3BE6,SHA256=B155E70E50E56019F49ECCEA87CD6695512CFCF69722CC22AE24DD4BFA2DFFEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.052{AEE49BD1-90F7-613B-951B-01000000F101}40045772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007543656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85424F5BC00CF2B90256B43A2E6D31B,SHA256=9D6549FD2BC9A7DB4312987A483B07EA4987603C42C11EF0873C857D19310EA7falsetrue 10341000x80000000000000002131430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.901{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+21ac1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3a6e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.601{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555E448C0C18B9ADC9C54C6F36A0B29E,SHA256=014DDE2A9BF96E81EBCAEF4D925F913EC84EE67BAF1B17DF756AC4DE4F42FAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.416{AEE49BD1-90F9-613B-971B-01000000F101}47044292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.286{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002131414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:59.937{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62353-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13FB0DC41F52C1FFC127858DA0FC395E,SHA256=7DB8CC2D6C232B0AB8065EF0339A4B8069702AA188367EB1FE406449510A60B3falsetrue 11241100x80000000000000007543652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA2E93DFF85B02D32611A106F98FD21C,SHA256=3E3B835E0CF847029D888C43FA9B03312073239DC1EB9282B2FCDD49AAC1C702falsetrue 354300x80000000000000007543665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:52.054{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56749-false10.0.1.12-8000- 11241100x80000000000000007543664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1056B9AEE0277DF1E5C0225E986516,SHA256=C088BB8F4EBD0509F2B1FE1D7923F1856F3161F28C01F0E74FA0250402835D8Cfalsetrue 23542300x80000000000000002131431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:10.001{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2E5CF3CCAF7DD0948BD9E886E32536,SHA256=7C0F92835523BBBD41162879E1E33B47DD63ADC392C076F0010399926DE6E97D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5D2EBBCA6691F932288B1F08657E9E9,SHA256=A22CE28151E2E142CC39F1EF7EEC2E1E1A2745DA4FE22AEE4BBB85EA36D59287falsetrue 11241100x80000000000000007543660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8153EBADA05F838DF630056E173947,SHA256=0FEC3A45AAAC78AC4BF6F408E0131167FCBD6423D206CB6BF30FC51CD19A7B64falsetrue 11241100x80000000000000007543658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7A9C02A15E1818CDC2D993F2968F21D,SHA256=89CF96948CA9450E0A4324DD6A5D55D44E90352E54B1550D9937A2B6FEB17D51falsetrue 11241100x80000000000000007543667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:11.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:11.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA98D5FA77043FB9C2582FF0A83C970,SHA256=E78708C9230C67D6E51BD575C299C89DE6A11C7D56A0C229226E7F6CC9106484falsetrue 23542300x80000000000000002131434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.602{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.220{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9916MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE2730C6E82393ABF8432A5991DBC0F,SHA256=6ABE19B06ED8F76829F9274BA3E27F54DC8CD403D6C5875033AC60C12EAE5BC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:12.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:12.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0246B0977AD5927BBFC35B0F8717ECC9,SHA256=24E8FB24E648F9733FA4DB567FA248EED10E8BBFF8F2F0492FF4500040DBF769falsetrue 23542300x80000000000000002131462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=268F691C5FB7A862EF837A2B15EAF690,SHA256=747EC5FF970FB7983AFBB8BEF45680D0D182C1948FBC3ADAFC11AD683BC4BE00,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002131461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002131460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002131459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002131458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\FlagsDWORD (0x00000002) 13241300x80000000000000002131457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\TtlDWORD (0x000004b0) 13241300x80000000000000002131456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentPriUpdateToIpBinary Data 13241300x80000000000000002131455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentUpdateToIpBinary Data 13241300x80000000000000002131454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\DnsServersBinary Data 13241300x80000000000000002131453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\HostAddrsBinary Data 13241300x80000000000000002131452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\PrimaryDomainNameattackrange.local 13241300x80000000000000002131451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\AdapterDomainName(Empty) 13241300x80000000000000002131450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\Hostnamewin-host-296 13241300x80000000000000002131449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002131448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000002131447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000002131446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\AddressTypeDWORD (0x00000000) 13241300x80000000000000002131445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseTerminatesTimeDWORD (0x613b9f0c) 13241300x80000000000000002131444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T2DWORD (0x613b9d4a) 13241300x80000000000000002131443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T1DWORD (0x613b9804) 13241300x80000000000000002131442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseObtainedTimeDWORD (0x613b90fc) 13241300x80000000000000002131441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseDWORD (0x00000e10) 13241300x80000000000000002131440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpServer10.0.1.1 13241300x80000000000000002131439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpSubnetMask255.255.255.0 13241300x80000000000000002131438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpIPAddress10.0.1.15 13241300x80000000000000002131437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000002131436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.219{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9917MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.019{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350FD045BB3F65780FDC946077DB0BF,SHA256=8B4089879E51A32E0E31106CB40E91832B64461BA9F889E742FA18548BE96DEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9847750444857997BE3D40B6BB9A6E70,SHA256=695328DC77153C0127506B4E72FADC7EB70F72D8132623D948D17A86F94BCBB5falsetrue 11241100x80000000000000007543671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F40D42CA7F30123158A3E3D7C1B60D90,SHA256=4981BCE4302366A078790AC889D3BD1E54C1B7E06E4A2D25291B286B49284E5Ffalsetrue 354300x80000000000000002131464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:04.393{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62354-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:13.020{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53299915DF8622DED3B26E7953CB6E7C,SHA256=A8EC4F0A6035FA179FE35DC9A476FE4C1E9251A74770EF1670323457498D3464,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99418BC1C8887BDFD0A417CF1EF77619,SHA256=987424F9A684B42A10D7F0D94AF51692C2DF7FB3DE23309B62FB48BA11D4F6AAfalsetrue 354300x80000000000000002131467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.563{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x80000000000000002131466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:14.174{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C6A7BF4D9EB867B2D3C306135BF039,SHA256=D737C61AD4FBCAD83DCE3C4CC9E1A58D30628D45767B8D2E5E97A5780033E133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:14.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797D8E69E4922F89A796E413AC8825C4,SHA256=3AEC49D3D2CABB638C940DCE7485E349F337EC849AF67F067340303CA5E8029A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.653{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52563- 354300x80000000000000007543676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.651{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63748- 11241100x80000000000000007543675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D35BA98BCF0FA8700D1D05D71DB24519,SHA256=8152524D8C3CD46169D7C6F72E5D08C52FDF7EE6CB201DF9896AEDC9306D6CF4falsetrue 11241100x80000000000000007543685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F7B06B0450F501AFFF7E33397B486D,SHA256=822A42240A67CA19128AB31F44F53A9A62AB3AD242BF84D43223E0C55AD1FD04falsetrue 354300x80000000000000002131474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.941{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62355-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002131473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.571{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-49553-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000002131472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.570{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:106b:c688:c3eb:2063win-host-296.attackrange.local49553-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000002131471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-296.attackrange.local60806- 354300x80000000000000002131470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-296.attackrange.local60806-false239.255.255.250-1900ssdp 354300x80000000000000002131469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local60805-false239.255.255.250-1900ssdp 23542300x80000000000000002131468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:15.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28539B2E880898C4A9678699EB5D9F57,SHA256=7AAEE11B58638BF1519BFE16CDEC08AACE7199C3D07A6CA008AF8106DD29127A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35CCED0E927FF49261B8638B799AEE8D,SHA256=6BACE85F7A63C17A1AB1C6AE526F1848A8545E2FEEE09C1F25C3FE308D96769Dfalsetrue 11241100x80000000000000007543681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5655EA71D04A67DACEFE1B31622A4ACD,SHA256=3040094562BA43748DA4B9796626C2A9F84AA7972485C32355AB6EEF5AA8CDBCfalsetrue 354300x80000000000000007543688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.029{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56750-false10.0.1.12-8000- 11241100x80000000000000007543687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:16.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:16.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B676DD5ADB112E24BC7B0699DD7B05,SHA256=099EEEFDA2B7CE0941E76D21708A4940FF2CB76EB2E2D8A9502A355A28F51AE3falsetrue 23542300x80000000000000002131476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:16.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12E2CD55F49BE554B7982F2767F93F3,SHA256=92446D24CA2D71929F34CE0A9A53205F18CCEA5D5631870B248071E5ADE9E71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:16.055{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E3ADA7F82A51FD650145954D05FB44,SHA256=053B83D8CCF0DB8BA92168084108D3FC0ACD023690A633373520A489312EF11A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:17.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:17.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9670BEA2133D707365F77D26FA60597B,SHA256=575837F597A4789F9A6547035A6874969FF2961C6FED34A4E49AE9B12EEE2FBFfalsetrue 10341000x80000000000000002131478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.858{AEE49BD1-4159-6132-0B00-00000000F101}628920C:\Windows\system32\lsass.exe{AEE49BD1-4151-6132-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002131477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.075{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847233729BBF98469C60AF387FE678C9,SHA256=F8EBD7833E46764316119841624743F7F37582321F2DF4842402AC3A57911989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:18.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50494364827E2597A21DC4094CFDED96,SHA256=31BEC130C0874BBE84B8DC9844C97DED32B285CA41E2B12E5AD7E69C91369E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:18.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADD85A2A01F7BA9DD248DE3167FB63F,SHA256=230FC24E6B60361008DA6222C834E9B50A5A8CF6C9D4B006B240545EA2FD95AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73854A0F1963CD1690455EFF9B974D27,SHA256=DAEE294076E07DD8A02EC942783B8615474FA2804E49F67387928D791C3EA12Ffalsetrue 11241100x80000000000000007543692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5763153E9103CA291965B507C37E5C1B,SHA256=37C0C0CABD0A2CC3EEECF22CE4922C92BD98AE452F5B3F9319D40CE34472FFF6falsetrue 354300x80000000000000007543699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.727{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62356-false10.0.1.14win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000007543698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62769D6F84E38D55AD25549354F27375,SHA256=9F6ED9B52771797E35510A4AB7858596C71EC5A3FEEE2940F28BA81B5E2BD705falsetrue 11241100x80000000000000007543696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F4105E267AFAA285D1CC39ADA8E8D1,SHA256=7D44D034A316E07EA245D3661AF0D9343E1D11A45DA5EAA4B24538F6F06A7C31falsetrue 354300x80000000000000002131495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:10.646{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62356-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 10341000x80000000000000002131494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.259{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.258{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.256{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.256{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.240{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6BF0ECEB6B6EB8837470EBBE5B2229,SHA256=F8844A364E2DEAF8DA70C9F8FC522AC1CCC19214DBFFD31DDABE4D6A2DE85E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.848{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62357-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:20.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5A0836F09F502800D97C6950C89B50,SHA256=AF3ACB7034C6946B0EB5F483968337B86E03A661082BA06DACD3DFC9530A419F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E6D934C0F40351C88E1FA4360EEA39E,SHA256=D6350127554B66F6F3F0B5E97212F82251676E13FB303C0FFA53C75C08B3387Afalsetrue 11241100x80000000000000007543703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFAC12123C56B03A9A0B70CAC8E072B5,SHA256=A7D9989CB2EAF25206C84703A82DA62082E14E9E618A5A40B202EA0E85C8AA1Dfalsetrue 11241100x80000000000000007543701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CF1EC0FD934F1ED8221D263F265C18,SHA256=229220E24D88D50B4D6FBA8B033122373D13A1EBCF9F78939D17E974650A592Bfalsetrue 23542300x80000000000000002131496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:20.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8595CF131898AF5AEA7EFC8177F3B84B,SHA256=B91ADC2119B4B253147C20F9AC9B0C5D28C8222E0AFBABD678B0857704AD2FA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.036{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56751-false10.0.1.12-8000- 11241100x80000000000000007543709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483F887EBA757B62A5031B10ADB996F5,SHA256=E9A1BC05F0C2158FB561D951B3D7484F5C491939F1A184DBF076945C4E804067falsetrue 11241100x80000000000000007543707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F251B0CEF7198FCC27A0087BF56663,SHA256=435272E11D6D5F09D77F01E962B90DD60CCF3C0B9CFE5053E292C500E9CEA03Efalsetrue 23542300x80000000000000002131499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:21.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404D878F6D4007AE83D8D1E856898F6F,SHA256=400E0D57AC2168841A5BA3B424850E80EA0FF15926953AAA7447DC68FC7EE125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:22.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:22.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CAE10E6F753A45E50F2F1BBB1CC331,SHA256=A84B32592CE7A4B90C9EFC8E0AB8EED28ED196C080BCBD48198CB644F468F1DCfalsetrue 23542300x80000000000000002131501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:22.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289B1F68B959A54BA3B50A7A38155E3,SHA256=FB312D9A17BE032F8AF1BF3510CF2202BB113F4A74A3DE17C2072DFEB49E7DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:22.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A07D3DE309146AC5943E6D80D955CF,SHA256=63671FD2860BFCFB794EDE1DE58215B916E97B5162693C3AA5418A55E6BB3A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:23.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DE1E98BE89F734AC19D47EFF2543DB,SHA256=0ED05B30E84AF0773A08147597438EB6CE6B6B7D58D18F4D8ACACDC0166E1A85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:23.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:23.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB9BAA9D8EF6C4B05BC7E99373019E0,SHA256=D69038F3648D00D542D2A18A38ABC94760167CEFED16ECB976279F589B3F8E69falsetrue 11241100x80000000000000007543720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B370B0E36E1CF533E52FB89868E2E4D9,SHA256=8C56912D1CABFDA005E974C86DAA06E023FE90E77025251C6641C7BCC4D63D01falsetrue 11241100x80000000000000007543718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7787361FC371E6EBBC86FB38C45625,SHA256=3A4E4E01CDCF4E8F98851DBAE7FFE8198E2D850D3C2102F81FD1B4577F65893Cfalsetrue 23542300x80000000000000002131503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:24.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4940A8D261830C1E54F7C55CB0D35EAA,SHA256=9788E11BE50274125C91AD05F536EADF2457EDDDE2CF5D016EBEB8BC607259F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CF2E8A158D4E4D7AC47FF9712D88CA8,SHA256=EB1C21152A83F7D57E6A3F79ADB529066867689FED320E1400AE12FE93FCBDB7falsetrue 23542300x80000000000000002131505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:25.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35ED1080FAEA5669B7518EDCE3940770,SHA256=943DA9089919494685B5708126581E61B5462ACAF0752A7465A4CC80A47C912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:25.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35A49419BBCF6B465CECA83E48D8ECB,SHA256=7CFB32B125E16688DCF436137B998E2E0261EFCB9818700D1460354930203C9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E0879B3C17168BAAE04B4120C86DC23,SHA256=DCFA04D3E6D188B8BEFFC4882AD3933DA809BA77EB75DF8D67390C2B478602B9falsetrue 11241100x80000000000000007543724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA997B07272F8E746DA6000934B35E8E,SHA256=5396563A8C370BB58BA6AF0812CBBCE7EC5439729AE866244C9D115C974F1FEEfalsetrue 11241100x80000000000000007543722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5C91ECD982731AA5A2A7832C05D711,SHA256=FB9DEE3A529D206843EEAD2FD107FE95878E03291C0A99206D0DDE73E51F91CDfalsetrue 11241100x80000000000000007543728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BD83042089D06A58225B66747EB80D,SHA256=2A03132F9A13D741FBC071BC937601C60E90C984B47470CF08D52DF8FE728398falsetrue 354300x80000000000000002131507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.006{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62358-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:26.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773E79785E92F54B5AB63EEC5C037284,SHA256=52D8A36B157B4588E5816BA8BFCFF3967EB9C0FE270CB2D5F4EBDC484468973F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007543735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.556{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9925MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007543734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.555{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99252021-09-10 17:08:27.555 11241100x80000000000000007543733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.554{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99262021-09-10 17:08:27.554 11241100x80000000000000007543732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ADB58D6B4F0F81C64BCF77E6C6ACBD,SHA256=AE867DE83BCF7CB385C7015D5C0D0FDDD5304CB59902D7560C78ED7B88F8F5A5falsetrue 23542300x80000000000000002131508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:27.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FC88C79785C11465A19C2ED92943AE,SHA256=0E1AFB1805020D589C0049C15A3858DF97D733EA2E0E424E39F5E0387C3244D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389977B9EB735EB2C326C386CC75D1F2,SHA256=B9738DB536841F56C4B802F6188630942BD8265881C534D116F843158245B1CFfalsetrue 23542300x80000000000000007543739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.575{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9926MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x80000000000000007543738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.027{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56752-false10.0.1.12-8000- 11241100x80000000000000007543737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA323234ED0135C34E6996334DEF3A8,SHA256=65B2CCA6573C4B0B9F84BC8349014AAA434F26F0DE5DACE9419A23995F113735falsetrue 23542300x80000000000000002131510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:28.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4CA431ECBF950945FAC4D353E3F46F6,SHA256=D202A8D3F74F236EABDFE375DC38013A09B4E944EB63439C0A83B38F1A5B9E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:28.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BFEA728BB46709BB03A0F7848967E4,SHA256=5A39B9EF36FFE9246A9A381C4AD639E83C149732E8D5F58F6EC738A81710FFED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=513E57297426BD43B1713AC0DA218503,SHA256=D85B723BC71B03F19BA0A8134A2571D937380EAC6EF3F4A174FB79C3B27B3EB0falsetrue 11241100x80000000000000007543743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84133E698094F7C30BA1FF3F917275FF,SHA256=E60C4AB9AB3CFC369C2E4E34979EE97A98A310994596EC0192C1E146FB00B508falsetrue 23542300x80000000000000002131511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:29.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206674480C18E08B4951F0F7E207EBE4,SHA256=BDA10A5469E641D22F5E2D08F616E75F0557B67C6C1A5FB315E9485C8FCF67BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31341EFA73C8C334E5CD4CF05F91252F,SHA256=4D519D9243835C07FBB1D907AFBBD0CA815CD84222F877EBCC4DBA5865BB6745falsetrue 23542300x80000000000000002131512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:30.276{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9422CDF7D4BEB962B480B4D3A358C7,SHA256=4A1AAC9F8F46E96466CA5E184206355E10AB9ADEEA85331E0D8D3F73A0C71845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCD10C5E78AA9BC92590C342767415AF,SHA256=B07DA432AB66E6970679F07FE39EBF6B30C4831FBCF5B010CAD9B8A39F8A596Efalsetrue 11241100x80000000000000007543749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9FB6D68A6C3AAA1FBEA09BF30C0B7BDC,SHA256=7C281A987E225C5EE97C2041130DF98391CAB64EF3A60A247CCCA2745C431A3Dfalsetrue 11241100x80000000000000007543747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053F4943AC58351B84172A6CE61BCD26,SHA256=2C2366DA712CB31EE68B6A7262F010877834D7FB12AF8538CCA5E01D30485C97falsetrue 354300x80000000000000002131516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:23.018{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62359-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.280{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C76C9377F8D0484351B81251047942E,SHA256=DCD5B9E933773DDDE69003352E1FF697DB1A5135C0DA1EC24523A747B57220EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418C5C425BA2580A5D1FA757A4E1F94E,SHA256=E6A8664DBAF2F64BE5C4056464ABCE60A341304C54EA69408EBC41C5EEA93E2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:31.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:31.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5916A0ABD5C723EAD7C731A489E8F65,SHA256=8E1C14A24492A10B7DE9A7202604BF6D452B79800664D1DBD0A22BD649330E61falsetrue 23542300x80000000000000002131513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.130{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE8D807940F022F36C68759D2D4AE9AA,SHA256=ABD1E1EA9D3FF7610EE8300B39156C75BA586F1617987BC094EE8B8A2014DBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:32.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384EF0ED192DFBEC047C7949795AE2F6,SHA256=3E1749FEDE8CF61AA49420C16FCA1E2BAA932D12B08EA5CB2E2E561F6FB78261,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D27CA1DA89752A3D6A8AEE00DE3C328,SHA256=E6F7C7579A4421E30C669595D1A4793D2431ECDB76093D32F31C5F3414267D8Cfalsetrue 23542300x80000000000000002131518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:33.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6518FD43649BAA781566D709386C1029,SHA256=2F882E75C75B6D555C70A328D9D752055715B893F497B2823ACC4D13821207C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E36C9AC6131FA032144BEC6912CA21,SHA256=F4501C76911686C5DFB569CD924EF1B62D4D2763E942D5836C628C4C2784DD51falsetrue 11241100x80000000000000007543757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBB04985F78D0FA7D6D3CA02444BABE,SHA256=E9E451549232DA1EEE7DE54C68EE40A2359E45DB6B4CC92ADA4B09754FD48F82falsetrue 11241100x80000000000000007543764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24C16EE38F47A7D2565821876E328C6A,SHA256=609843D1126CDF6CCFDD5FF1D0EA0CF6FEBC49C4CA82E4A130E3ECADBDF17056falsetrue 11241100x80000000000000007543762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC17D16B520B3796FD24A70FF948DB79,SHA256=80C4B4138116A15DC4832B5D51E83DB9D2CA2D18BE5EF02341BCD5AF44DF2D1Cfalsetrue 23542300x80000000000000002131519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:34.352{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02431E2EE7F6C34524C09BDCA448AEE,SHA256=486F04EE75550C6E653D8978C77B4AC3D90E8AC74D2FCFA2BB80CE3EA36012A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.987{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56753-false10.0.1.12-8000- 11241100x80000000000000007543770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA30B7700786256E07D3D43BFEC841B6,SHA256=145C291E72246D0C03827F63CDE5C44EC4087E5D0C3E274E318042FB4EBA4C3Cfalsetrue 11241100x80000000000000007543768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93BAF4C70B92C5FFAF91A5DA3EA15C64,SHA256=88056798CB037081F1C862F9237E1DD75F9788F8FBC8E46A8AF996302C9CA885falsetrue 11241100x80000000000000007543766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29F7FFF439FD388325333E21AE2EA73,SHA256=F513FECC1D960848EE3E2643AE96ABDCEF9146C572773FE181C3E66592CF2488falsetrue 23542300x80000000000000002131520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:35.354{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52684FBD75208B3AC00C0639CACE83A3,SHA256=2334F98A14411492A6A6C1A8BF36787C82891C6EB12F5D43552BE3B439BC02BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:36.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:36.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06C0FA07FBFAD3A448F36453D5D38FA,SHA256=096FFEF74D2144461DE715CC79228F6EDDF0B1CDE98146F0F9D8DFB41ABA4411falsetrue 23542300x80000000000000002131521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:36.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B182F8AFE19BE6006B98703EC65C059E,SHA256=DF3194DB726F9BBE5201901544B235CF04DA120484EEFBD5A647265F4EEC7CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:29.031{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62360-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.393{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4056717896D0B30CE8B8B4AB5111E16,SHA256=1745808347CA70C4C5458310DC8887751A72786FB1FFDD3B081AF6DCD30DE40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C03DFA8622B18A0C4B4A4276F2A383,SHA256=7E6CA7A29911EFED2D7FA88EC242A2B9E6B3B3FC6529B9CA90F48EB7A5763988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA439E3B216B5A8316FBD5861CF70EAA,SHA256=0E3DFAEC974FADA967AC99398A563DD412304B64FCA7A4F1B01DB614DEAFFFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:38.399{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5201C64EE34E6E5B3CE36974DB275,SHA256=129977CC9C369B48E0CAC3C945E14A1AC7344088B102CD6EAD711BE4000E2731,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C449A3D09F8D7E6583AF05398861CF,SHA256=DF9304EB97070458969070CEC2F936DDFB82E13A818F3C9FED69D58D6EC2868Ffalsetrue 23542300x80000000000000002131527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:39.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724EB7D7782F2B4E53AF19B605E531C8,SHA256=B79CCB373786C48CFCDB879BEFFA87DBFF6B5AF1DA0843607D1B0F926BD7846E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14529F68F4046A583D62546CA1D671CC,SHA256=485B3AAF30559E34DD6433FD39A3590C249C9329DA3E05F2D6747BF0D8158A7Ffalsetrue 354300x80000000000000007543781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.962{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56754-false10.0.1.12-8000- 11241100x80000000000000007543780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5016FA8FAEAE8369A196E1E9E499D3D,SHA256=C5E1ABC4EFE9A856ABC3FAE0EFE1EE1645DCE813BD3676966652E9E14542E3ABfalsetrue 11241100x80000000000000007543778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5FFB864D6041BEC22565CA97C504AC,SHA256=8F948486F6857150A18CAF83814E574B59F77ADE7A5767EEE214EC7B9962345Dfalsetrue 11241100x80000000000000007543776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95A2DF6F31D8AF681CADF6995DCDC97,SHA256=5D1EEC5E42003168DFA8702ACC3A595E232885C5DF8EA6E5BD82965D35F5A98Cfalsetrue 23542300x80000000000000002131528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:40.500{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7BD59BAA00F7876992120503A6CD3F,SHA256=2A3ACC620CEA80C96F70D615A8210F22FE4B8E006FC4B3136E2948EFADA1C350,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34EA92497F4D33837CE395D4C33E6076,SHA256=E71962874793D5C7A9E029B18799B08184C6627843AF4C0B66AAEC3B2D992222falsetrue 11241100x80000000000000007543787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12DD9C999813CE8BA5053BEF7E480777,SHA256=52E161EFD58EF740533AF04207BD94408911B343FBFC69D97D72F3A8A0A24969falsetrue 11241100x80000000000000007543785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F6071EED8AD224E176DB6D26E21DB8,SHA256=D04F4E2E9BC6A7BA87CE4CFCAF3B45602753FDDC39F84EA1ED4D281C1C722CDCfalsetrue 23542300x80000000000000002131529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:41.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FBE95A9D4E897C4933275F376D08C6,SHA256=D51C83BCEFEFC90AEBA23A0EDCA70A08EF32FD0B56CA9E39D875769FA3C5734C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:41.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:41.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1066A20A8639673D53E1A58CF34331A6,SHA256=5308A3746E7927023763E10D4DCAAD6F0DBA6C6DCAF9D536029F88166E30CF93falsetrue 23542300x80000000000000002131530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:42.505{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC801F32A168DC7BB108D3277BB6CDF,SHA256=1274D503A20814BA0A79883BFCB1E9312910B49F356FAF6396A594F77F57A7EB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007543795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:42.853{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007543794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:42.853{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007543793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:42.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:42.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C05C4BAF7812D862FFB6F72D1C5A3FA,SHA256=4CD6832089A79337597B13E7B4AC55E06B28FA83DE153B99ED219CA798BE94E8falsetrue 354300x80000000000000002131534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:34.992{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62361-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.525{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0602FC69FA618E56BB29D3CFDF92C,SHA256=4EF55388D86F1076ABFA71ED61CF52BBBB9E6E967C81C7C40C7BF17DF49FAB65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5016FA8FAEAE8369A196E1E9E499D3D,SHA256=C5E1ABC4EFE9A856ABC3FAE0EFE1EE1645DCE813BD3676966652E9E14542E3ABfalsetrue 11241100x80000000000000007543797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5219240D18D4D181F1B6C37258D81C7E,SHA256=5DB28F9335BD91AC768B712095311617E5F8A1ADBD4DCFAF66C195BD768C61AAfalsetrue 23542300x80000000000000002131532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4615D9CB0306833F52A4CD6BE2D3DE,SHA256=4FFA36290CAC72364A60AEEBECBD545B3F271D59F8FF701440A0A3CB64663248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C03DFA8622B18A0C4B4A4276F2A383,SHA256=7E6CA7A29911EFED2D7FA88EC242A2B9E6B3B3FC6529B9CA90F48EB7A5763988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:44.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C578FE0653BBF5A64363BA1A55B9B1,SHA256=B0AF51D5DD7EC98822669AEB2C39A1787DCDD2DF6D9919BC5DA0066F4DAE3AC6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}54964152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000007543914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.086{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56756-false10.0.1.12-8000- 354300x80000000000000007543913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.724{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56755-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007543912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.724{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56755-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 734700x80000000000000007543911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.739{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5E5464734FE76C8105FD77D6C01F627,SHA256=7058E6FD4DD647E1470C56E66C23D9A8611FFF26B0C02100BCCFDB1F3A05E138falsetrue 11241100x80000000000000007543858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA0D2C31FFBFF928D87137291B595E,SHA256=12AA0CB802910A3FAF958D312C5BDC374E9D2C3B195FEA0BB94D528AAF6F382Cfalsetrue 534500x80000000000000007543856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}55163288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.131{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.130{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.130{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.129{4DF467A6-911C-613B-6922-01000000F001}5516\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.129{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007543808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.099{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DF7AE0C4850DCE3012619D241056E2B,SHA256=B1F5B87315F727CA1FE06EE9C7F4072DB870F6B97C41F0BE4E4736A2BB6937E6falsetrue 11241100x80000000000000007543983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AF4E0B1E3EA5F23DAB8930ED6BA2EC9,SHA256=FA493B913E8EBADCBD8104EE3AA0C296C7D165E9AD944EA40767225FC185BD1Dfalsetrue 534500x80000000000000007543981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1AD23434AC927E69B0246A9D356E69,SHA256=3880CD1AD0F6BE70FF0689980801F9C265C6441F296C75314991FC0DB575751Efalsetrue 23542300x80000000000000002131536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:45.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7893876D1B8F04FDC3425977FF5F9487,SHA256=C7AA77AC10D928EECD2325429485BB01A3F81B40706A16B97291AC875B07D4D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E01C2AE3498AB22466715253CE58D83,SHA256=ECCCD4655D2A28C0BD6A2A1CF7E3B97AFE051260FD42CE6C966A71A92E48523Dfalsetrue 734700x80000000000000007543973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007543936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007543930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.328{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A42155F42979AED0CF56B371B0BD77F,SHA256=EFF7DC36CE2912BAFFE9FCC951BF22E3C2B163CA0B15982640759E826EE0C5BAfalsetrue 534500x80000000000000007544103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007544102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}43284924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007544099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED58C491E3E6C0DB885FA73E02817EE,SHA256=4635F531CC994543B6BF0BBDC93AA76E3E0EAD1361FF67565EFD7502DF145C93falsetrue 11241100x80000000000000007544097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.762{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007544096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.762{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007544095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007544091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007544089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007544057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.729{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.729{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007544052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.726{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.726{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.710{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:46.530{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17CDA781E80BA53CA70C16C72B0D2B,SHA256=5BFA6A64F9678E8647BC07840A61D4C20FBC145ACCADA882EB9A57FB7872C593,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66FCCF2F670BFC7B2F4F939177FCD694,SHA256=3FC49293ADAF62EDACB004BD9EF966796B899D8D4D3CEE473F0F7EDA8A01E409falsetrue 534500x80000000000000007544041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007544039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.148{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.148{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007544036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.031{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.029{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.029{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.027{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.027{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.011{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 734700x80000000000000007544221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007544212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0123765B2D8362EF88F799E997BA404,SHA256=7DF99A192E3DFCC78660EA0ADA02F36550F489837E7CAB8AF406BD3756732F0Afalsetrue 734700x80000000000000007544210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007544202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007544181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007544176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.949{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007544167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D088F8060DD401E17477B4FF87F64E8,SHA256=F595320CC0B157528A1CF2356C0F25F9FC55D447DC3BC710E4B32700D2EC25C9falsetrue 11241100x80000000000000007544165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936B1309DACFFB51BFF768D1EDA0EA6B,SHA256=92A0447FAE6F0B3BDB6A06CDCAE3C337C160D841768D4C2747734A2CEF328FF6falsetrue 23542300x80000000000000002131538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:47.532{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4CA1E07A56F38554AF00BEC80D1962,SHA256=D17FE68FB9C4E31F21D08337AFACDDFAB2D8906CCC343E7182FC31F8FEA797F6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007544163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007544159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007544148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007544126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007544124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007544122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007544121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.428{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.428{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007544117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.426{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.426{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007544112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.425{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.424{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.409{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:48.534{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD26F9BE19554307BD023AA2A6D78EBA,SHA256=6D428CC0B9B765F2F516A905CDE85403D725F1C5441674CAA004DBB3D22F17C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264B835459C5F6F4315D72F030EEC833,SHA256=9A3FB20A38F5C49F510C7A23C0903E24A2011CAAC32BDE048B2A03648B496320falsetrue 354300x80000000000000007544226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.617{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56757-false10.0.1.12-8089- 534500x80000000000000007544225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.107{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.107{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.091{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.091{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002131542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.536{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B2DEF765ADF01574F1F9623AA44D0E,SHA256=3F3969A0BC5C1B2020CC12D0F7D60BDEA7FB4F6F5E7888F802600B9E29CF7DDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E64B91FCC9E86F9954ADA3611301F8,SHA256=1CA403CD9C7D29AB249C7C5DE27CD8AB1B9B072D7D03F7ED0A6D1D8A52A282DDfalsetrue 23542300x80000000000000002131541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0550929716B359C9071F7D717279D69C,SHA256=0E608FB5D03A6C7FCBC524CE7001B9FBAAA2C3E0A05DC60064C24ACE364D0016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4615D9CB0306833F52A4CD6BE2D3DE,SHA256=4FFA36290CAC72364A60AEEBECBD545B3F271D59F8FF701440A0A3CB64663248,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:40.954{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62362-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:50.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D887B637B933101C4217367FF754C251,SHA256=9EE0346B30C75DC5FB068397C5F7BAA6989E3DA515262082570DF1C53C91E35B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=086AFF571B313D70C19258BB3A331344,SHA256=AC5EC6B7C583EBEF152C46028E23B3703D3449AA37C56EED75F2148B6F498F32falsetrue 11241100x80000000000000007544238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BDED77D91CB08122562A31562804703,SHA256=5E248D11CB83BEC797EAADB509ADA496C1AEFA6290D542CED9D28FA7FA830259falsetrue 11241100x80000000000000007544236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5FB6F5DD7D26D28905BC535E3CA18B52,SHA256=BB41DF739ABD72E483F21193C4BF7ECB6AFB46D89FFE708FCB5F4EC1B624793Cfalsetrue 11241100x80000000000000007544234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BA03B240540719B441ECB525E819620,SHA256=7F2E176C3A205FA18F4F6E0331A2E6C604D0322B4287215A4557E14238CB9018falsetrue 11241100x80000000000000007544232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66C22D9620A73BF3560F4639517525E,SHA256=515C56AB0E1BAF8254049AB7E9801C2A460DEAF3896CCF05328DAA7BAFBA86F5falsetrue 23542300x80000000000000002131545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:51.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527AF4E365F3F8BF05FA676F026C0A2,SHA256=C11A9804F7182B9E5FF067C11C9F0E43CBB386001D2D2645EE2D240B19D4C903,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:51.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:51.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B960BF07FCF035A43368AB472D18541,SHA256=E589221CB710FA5270F28F5154628A00AA77A56308FAD75A0C96B7876917AED0falsetrue 23542300x80000000000000002131546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:52.544{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA14D0D449885D5FAC223537FFDFFAB1,SHA256=3192198696190CD6C79A9850376EBCBC82A6AD6F062EEC63C31064AB0652081A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:52.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:52.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4584AAAB7411E5EE4395770B78DE5CAB,SHA256=F15DD7CA366B12272D44262A94E7AE11A11A9B9075F31B82018BCC11F5DCC24Dfalsetrue 354300x80000000000000007544243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.095{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56758-false10.0.1.12-8000- 23542300x80000000000000002131547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:53.561{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6399D96085749E0A6FCF63CFA50ABCED,SHA256=CF37CFB23560B4A5DE6D263F9BA7A1BF63EB0CE79412F110548FFABB86DF8754,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:53.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:53.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F32FC4A66044E691B684CBA22E8B91,SHA256=202523C4DB48D42FE40B25685069714BBDB59F8AC03B7D576E531090E31A933Cfalsetrue 11241100x80000000000000007544251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E33BDDC4754D137565B8A7A61E4F72F,SHA256=ABBBDA4FE186F58A62834C712E1CE37941319F810E82A72C1AE442FA415064CFfalsetrue 11241100x80000000000000007544249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FDFC65739C7DA3800500A70584B0EA,SHA256=0885EF813533E7823C1E5504672406B61754DB14E15520EC3A10F0BFE1070073falsetrue 10341000x80000000000000002131561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.663{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.562{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5F45DEB54191CBA19EC97A3A716FC8,SHA256=58E3E1FB1B425DA61D5F8F2DBC6BEB13645DB10D82F0ED5A67E718B2144E5E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:46.951{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62363-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002131591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.828{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2CE15071FF0AFFE46CF15D2DD139A5,SHA256=65A996CC36C22590DC5D0DFC235D38ED5BD8F25418810A9FDCE77BAB592CE9AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A0964964F5D2B1DFA4784DDE777ACA9,SHA256=C7D8CA37B9FC52ABFB33C18E3A3F68005423EDC5AA7674B6FD119ABB5FB57081falsetrue 11241100x80000000000000007544269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2A41BED325866447B7C69AF932FB1B4,SHA256=7FF667429B5680371590DA8FD0C77792C44F317E46B73D0046E49A1B665BC68Bfalsetrue 11241100x80000000000000007544267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65BC941C083533D09AAA99CDC09C9E2,SHA256=6EC526A8AB6B97899D6B8233508B7BED412CC2DF336A491C5E7F7ADC6AE7A7A2falsetrue 13241300x80000000000000007544265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000007544264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000007544263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007544262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007544261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000007544260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000007544259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000007544258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000007544257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000007544256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000007544255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000007544254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007544253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007544252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 10341000x80000000000000002131577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.331{AEE49BD1-9127-613B-9A1B-01000000F101}48006032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.195{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93700BCB3F6C0FCDA03A35A7A70A63A2,SHA256=94F97BA4515B7E8C965461C60CF1C0D6BDBAA2A1CFF2C1C0EC38EC7D825777A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0550929716B359C9071F7D717279D69C,SHA256=0E608FB5D03A6C7FCBC524CE7001B9FBAAA2C3E0A05DC60064C24ACE364D0016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:56.864{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7870860CF3BF618AF5458D19807D0B06,SHA256=778605A9048E3CF15CF485DCBD9343E8AADB26203A0BA54D824A8589090CA67C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44831FD0716DD20970647AEA4ADB1BD,SHA256=487FFA6CB8390EA81B102EF3D43B98E0D73B468AC621F2301D75891743155EB7falsetrue 23542300x80000000000000002131593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:56.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93700BCB3F6C0FCDA03A35A7A70A63A2,SHA256=94F97BA4515B7E8C965461C60CF1C0D6BDBAA2A1CFF2C1C0EC38EC7D825777A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E769EADFB8777159D1F9FA67D46125,SHA256=B0DABF91BC7D1913CF812A427E5B024E1414CFB40D832BAFBF9AFD1ED4282F1Ffalsetrue 11241100x80000000000000007544273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50F6D2EE0B3436A652FAA7553F0704E,SHA256=25CAA40F37ACF89D2DD23A9966D6AC6A6C493FE0FEDDA63F1E3BF8A288501AAAfalsetrue 23542300x80000000000000002131595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:57.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3513D83C3983B34D41436EAE02BD4862,SHA256=BD1C8F04D18E3508C8CA11F46EC85CB69AA42E1280BA3E9791AF26D07B07F3F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:57.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:57.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B880604C6BF91B31B2C0A05A30BF3663,SHA256=9FC330532194D6BD1BEB1763E2BFD2BBD451401F4B320BDE18921F9218091AA1falsetrue 354300x80000000000000007544278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.087{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56759-false10.0.1.12-8000- 23542300x80000000000000002131596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:58.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AF4321769BE16CDF95BDD70ACF8520,SHA256=8142D12431849E3E3666BA8C97EC5EE02E0CCF6FF2F0C32E6DD7AAB8FA504CC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD66542B1E4D0DD4FDACB002694C403,SHA256=BACED5EDB434EE2FD50FCE3D817D12CB09935C6FA06D11741D39635A4CC71EDCfalsetrue 11241100x80000000000000007544282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.510{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007544281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.509{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC19234030EEEEBDF28264BFE7D654FB,SHA256=6125E4648B014808A574BB685D2D4D058E0320146776986FE03AA315A1C55050falsetrue 11241100x80000000000000007544286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C56E29EAC3D180CC9A7573B8FDAB231,SHA256=6DB17469DD928AD64E9DD12C477EB95B41E0A7C78AC845C58FAA0679F6E4D231falsetrue 23542300x80000000000000002131597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:59.917{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C0BDFE107A6F24820E45D5A167384F,SHA256=5DFAC0E466EE52921BDC11E9EC841C2413F5E7B371DBEFFFA80828CE035D1EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:00.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3173DD40747EA5C3E9F714D0C563B183,SHA256=B357403B9E9874E289A39650D5FB892A743E9633F18E196866B771FF0DEEF252,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1DC8E06684CF21DBC39E9E5E80EA703,SHA256=C6F5BF5240B69342AAE1573A74A2E2442281E777348934E5ECE92356F697AC6Cfalsetrue 11241100x80000000000000007544292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CD583ACAA8650A57A861BD8332E036,SHA256=DCC5C55BEF11B14F79F3E90AA1CF417753FBF8204D9FFE7EEF4D98C8FC0D2844falsetrue 11241100x80000000000000007544290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB7C31012BAB018165FFE39215DD7965,SHA256=E9E7B3EC4037945D41F484233E1F974202B512F4FA414BF30676F0D690740AD6falsetrue 11241100x80000000000000007544288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9153D16DF0DCFE1E1358D889A7F2BD64,SHA256=2BB0BAEED87BA7572F7EB339DB277FB562722F9D9C64F925981E7DC9EEB6D57Efalsetrue 23542300x80000000000000002131598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:00.386{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1BB06B16BA66220C6445601DCA7558,SHA256=5AEFFD07FE5A7A71A357ECB93D652F2C20F4E2A60C7555CCD917FE8365C33F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:01.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085900A68987A929A6D672FB6AD19BB,SHA256=0480DA52333B329B3F20D04F66DB06A590030104431321DAC33032278F3B7254,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AD8AD7A7B08DBCF7550ABBA62303AE,SHA256=2235E0215FE273246FEAB26DAF9FE6BABE529D9F265AF407C8F133066ABD51ABfalsetrue 354300x80000000000000002131600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:51.958{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62364-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:02.975{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542358264AB0207EE4576AF8B7DF75EE,SHA256=1D49D3E2363B404D33C8A51B8917450880BB0CE6BBA12079B46B5420A7DD115B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043CDF3F1793C2D714F11131B88C7A80,SHA256=B18D26489E9E90807239118ABAA30C0D18F34D44F0D8A7EE01C87D1A2BE6FC29falsetrue 11241100x80000000000000007544300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E4E58EC4A23BA38C3472E08A6503BD4,SHA256=F315F97157752F96C5B0F4840279BFDF3E24D810ADC84992D241E58B934C9346falsetrue 11241100x80000000000000007544298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E769EADFB8777159D1F9FA67D46125,SHA256=B0DABF91BC7D1913CF812A427E5B024E1414CFB40D832BAFBF9AFD1ED4282F1Ffalsetrue 23542300x80000000000000002131603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:03.976{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A142BBAAFC4A735F544C004E0EA17819,SHA256=E285F87B3B5BAE31DD8716E9962EEAC8D61485F3361E3781FFE150DB2B5DD594,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B322656F701D01A04D9FA378D7012F42,SHA256=C8DF7BFD0F04CC895A471714CBEE6C07DD6F02F2508E01575CE31DD0CEA1B36Dfalsetrue 354300x80000000000000007544303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.997{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56760-false10.0.1.12-8000- 23542300x80000000000000002131604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:04.978{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D81B7B2FEC46E908762D1C9CC17A1F2,SHA256=212086B879587B95022CF415957EFC29CF4AAD159F5D819E20BAED4A81C4174D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED94C9EA3F715A06BB80741BE72A49,SHA256=749DA26D364692ECEB3F8C66D9313BDEABA23F7BB9539E3DE4406CCDC51B4163falsetrue 11241100x80000000000000007544307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E4E58EC4A23BA38C3472E08A6503BD4,SHA256=F315F97157752F96C5B0F4840279BFDF3E24D810ADC84992D241E58B934C9346falsetrue 23542300x80000000000000002131606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:05.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD15C06F8EA904C7BB6250484D6AA15,SHA256=BB864721700DFC6BFCF157FEED1494BE53007DBABE7ED6025AD96C2CCE106110,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC6A97248EE390165BD6CB441F9A68DC,SHA256=30E36C5BFD0C09E375F6A1A402FC74F49F934F204B36702850408FB6556232C5falsetrue 11241100x80000000000000007544315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1A26BBFE12792D947D2321C5DF001BC,SHA256=58D604FD8F1449330B8DF47D23B56BC306B821E11A6430B463E0F2102840A7DEfalsetrue 11241100x80000000000000007544313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCCB4679CD4F45D2218E4E6626D888A,SHA256=81ED2D39B1632DB4EC0E8355894573B367E4D68005EEC0EAAB48E5A9BB28F713falsetrue 23542300x80000000000000002131605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:05.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524F7401F5EFF7BCE6D89700F44E0D10,SHA256=E42FB02D0C22BDD4B3A204C485EFCFDB4A26D10113836D05ED6C0912E8056F88,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.305{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.305{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=703A6B3E766FA770B40441D89CAED1F4,SHA256=A24A3C3803490E54FF1651C3E7A67D243CBA564314596A6877270D81E88DFD10falsetrue 11241100x80000000000000007544319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:06.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:06.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9697C155B9CBBDB9933A11D5F032049A,SHA256=4059CCCFA36FB8C64B87AC5698C24F3EDF926683EF3B29BFE289F07E7FB6B62Ffalsetrue 354300x80000000000000002131607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:57.031{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62365-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007544324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB4BF7364E06930D683DD623D938A0B,SHA256=91FDAD4C79F6F2CD57C73704FF69DF0146141CE5FD175C491E69284721669660falsetrue 354300x80000000000000007544322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.005{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56761-false10.0.1.12-8000- 11241100x80000000000000007544321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317FFF2CF0160A484498200FE8F22C63,SHA256=77092AAA99EF08947C2FE472BEBEC98F5881BF73579A57A3E6E288E0BBEA8603falsetrue 10341000x80000000000000002131621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.915{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E554AB329704B97A519BCDB68C4272,SHA256=2002817AE1D5F6890761F3A89AE01EC86606B95499DCAB72A09FE7EB026987A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.750{AEE49BD1-9134-613B-9D1B-01000000F101}39644276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.600{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002131623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.052{AEE49BD1-9133-613B-9C1B-01000000F101}632908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEAC4631D72E16FEDB39A38E1C342F3,SHA256=DDEEB7068A5080D3195A212B748DA834930D5FA4D5AEA5D1A720FB4B113B9E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.430{AEE49BD1-9135-613B-9E1B-01000000F101}40084780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.299{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.051{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CD2E7186B9DCACDBE43251D97C77FD,SHA256=5E1DEEC46AC934950A321AEA9A1242DB43F0378153C47CE4F3D65A9AC2FB9484,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA535A04CCA1EBBBE281CC69D1CAF19,SHA256=58EC73BAB6E1961A4FCAE97421D091D1765EE47FFD38FAF3272F643D91859854falsetrue 11241100x80000000000000007544326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0EAA5B6F63AEBA200143DD7F0F2A59,SHA256=0DC08356ED2C4FCDC6DB79B04359624AB033B1C1B114488D494810E581EEC242falsetrue 23542300x80000000000000002131638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE18800478903655FDDD097EEFC5B30,SHA256=D8F80CFD20FCB957E6B21A318FEDDB8A4042370748DCC082C9B871C9F12108F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:10.350{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC85D17C3B852D6EB9A1C6FBEBCC5C3,SHA256=D0F9678FAD8895D44C6E74447B78FE025122CD07A24E7460C50C2F63727F1ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:10.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649631B2D3271174576E5FEE06745562,SHA256=CB4B782DEA5EC93A52C6883F8893FDC86E93013C48E769627E1C2E4949A4BFD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E251F154D9FCF1B2BC13A5D5C13DF717,SHA256=D5395D639FA32132CB391FFF37E06EA6685C93A8BDA09CC93CCBE7303D067B35falsetrue 11241100x80000000000000007544330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C72F0FA4655825A8A40E6B57E4698B8,SHA256=C5F0184611D771EDCD984E4A90E488B88B2D8D3E23F10A29C1C8FF180993CDE1falsetrue 11241100x80000000000000007544338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F94923EFFC812777E9147A653DC3107,SHA256=FB9FD2C7408002034CFBD78F571185C53872E8F305D45D684CFBEF9383F8F174falsetrue 11241100x80000000000000007544336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99795DBA30C23E08F22AE2FA0CA63D6D,SHA256=7660C5428AB22F2EF91298B4BDBAE29AA97793D5EEF5C43F697D7E97515B739Ffalsetrue 11241100x80000000000000007544334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CEADA1F2CAB0934D2F0818BB74DB15,SHA256=776D6738333B86E9E826DFC7F0147914D7355377383E9B83DC868738D3EA4B80falsetrue 23542300x80000000000000002131657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:11.617{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:11.100{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E267D20919F6A251D8D424DD6CB39DB8,SHA256=D989120C4C519AA3E6EC1BE25DD9F0FC12DB6D4BA2B709FBBF28D4946013E81D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9099ECA500690DE41A8359743DABD7F3,SHA256=FD3341498F687C998A0F55F8BD1F9D83F502E994A70574A10EACED4741AEFBA8falsetrue 23542300x80000000000000002131661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.737{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9917MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.620{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20486D12F1741635C93A622923B9F71B,SHA256=4A3EFAA2423593D4745FAAD4D70F796BB570C83E0823D0E2F64ADEE9503CF465,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:02.873{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62366-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9776156840A5793851677F5A32B7C5F,SHA256=0FF6778AC9EE19768EC2540214959ADCFDB08AB3E60D9B545031D030849DB200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007544372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007544380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.042{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56762-false10.0.1.12-8000- 354300x80000000000000007544379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.005{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse75.174.156.221-53964-false10.0.1.14win-dc-291.attackrange.local3389ms-wbt-server 11241100x80000000000000007544378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFE5AC7E2F53F1B1E77F51266A3E26,SHA256=AAD630724BDAA7D87D7CF0CC5185A0987C37F63CCA1BD1D1ECD8E381AED6D901falsetrue 23542300x80000000000000002131664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:13.737{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9918MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:04.406{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62367-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:13.105{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D035F4596034CB4E7A0153B798E1F86,SHA256=69F3888A31F7070720E1E286914AAB67E6F3FDB76DEF4B55ADC258422BB374AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A77D606A2105339A52673F3952A78099,SHA256=20C43F3FFFFDB01815A2DDD62839C7E1B1C4CEA584C26D87F1A8C0AF0D10C4E5falsetrue 23542300x80000000000000002131665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:14.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6D8FBC2B0C75C93240B5A4B3131AE5,SHA256=94576D035EC8ABC79894D472102B00357FA7742F1E897DDFEA979D498984AA59,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007545782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=EFA3E8A9CBD2C00E0F42A5958D993F11,SHA256=C561557BE94BA4F8EE12FE3C13922A0729A6B462DF82D4A4D7941516367209CBtrueMicrosoft WindowsValid 12241200x80000000000000007545778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.969{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007545756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.969{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007545755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 11241100x80000000000000007545754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007545753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83385DE66101DB79AEC36C5058ACCB92,SHA256=C95F2E5DD9EC97E0D3F2EEAC4BF46403FDB04E77B4612FEE7B01B5E1D9427D0Cfalsetrue 12241200x80000000000000007545752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 12241200x80000000000000007545750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007545742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000007545741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 12241200x80000000000000007545734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 12241200x80000000000000007545724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007545723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007545722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007545721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007545720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007545716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ism32k.dll-----MD5=2D64FFE4D9D69749DAE22929EAF7C0E3,SHA256=DE4B60F73BE4265C83E68C80B984F5B06B69DB281E4F1365DBBAFB9D9366D9B1trueMicrosoft WindowsValid 12241200x80000000000000007545715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.786{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 12241200x80000000000000007545691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007545678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 12241200x80000000000000007545677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000007545667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBE7508557E1398460A3D748DAC5DA7,SHA256=2186C187B678D3BB09D2282D479B77E0067D6F2407054617710DCFDDC7663C59falsetrue 734700x80000000000000007545666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 734700x80000000000000007545665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x80000000000000007545664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 734700x80000000000000007545663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007545662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007545661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000007545660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.922{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmghost.dll10.0.14393.0 (rs1_release.160715-1616)DWMGhostMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMGhost.DLLMD5=E90480135CCF153367927193360E1704,SHA256=1E38DCCFBB4E3F7A97ACF9B8F35A27EDA314779E17951B62915BFEF2C4FE1905trueMicrosoft WindowsValid 12241200x80000000000000007545658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 12241200x80000000000000007545631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.906{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4trueMicrosoft WindowsValid 12241200x80000000000000007545607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000007545601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4trueMicrosoft WindowsValid 12241200x80000000000000007545576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 12241200x80000000000000007545551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Winlangdb.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Bcp47 Language DatabaseMicrosoft® Windows® Operating SystemMicrosoft CorporationWinlangdb.dllMD5=50E4D5039A8CDC4A6B540FCA4584CDBD,SHA256=AEF4A7FDBF3D97CAA5750A3779246AF5E562176179153B356689A0E3FC5BB444trueMicrosoft WindowsValid 12241200x80000000000000007545526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmcore.dll10.0.14393.3297 (rs1_release_1.191001-1045)Microsoft DWM Core LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationdwmcoreMD5=03C407A9E53E7F5B008408EE7DD98C49,SHA256=128569219AE53C10BBF6630E2CEF5CAEE94EEE53D149EAB67B8FE527C77C73F5trueMicrosoft WindowsValid 12241200x80000000000000007545499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 10341000x80000000000000007545472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000007545470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000007545469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x80000000000000007545468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000007545464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 12241200x80000000000000007545459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.XamlHost.dll10.0.14393.4169 (rs1_release.210107-1130)XAML HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.XamlHost.dllMD5=3EF300C64E57C482FEC2A62454CC45BC,SHA256=CED0EEE32D019EAF1BE70190B87FA9858054DEE20DE77EF0BDC67C2B8B0DD669trueMicrosoft WindowsValid 12241200x80000000000000007545437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 12241200x80000000000000007545410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007545376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\uDWM.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationudwm.dllMD5=92156F4F346EEF68A638B377310E5A44,SHA256=1ACA1754494BC261C5AE9891F3CDFE9A9060D1F882858B9087E6365C9572D360trueMicrosoft WindowsValid 12241200x80000000000000007545375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000007545363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000007545362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 12241200x80000000000000007545361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630trueMicrosoft WindowsValid 12241200x80000000000000007545357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007545333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007545332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CE24FEF4E2748819D016BFBD6D7C9B,SHA256=99782236615CBF7DFC205F83A4736DEFCA8601A86BB75633768D8A746D7CDCDCfalsetrue 11241100x80000000000000007545331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 12241200x80000000000000007545330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.787{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exeHKCR 23542300x80000000000000007545329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BEA52FF633D7A26A1D07E87115C54EC4,SHA256=97E89E836CD1966DBE405C511C5DCE1B71187E82294166E406AF3574C305FE98falsetrue 12241200x80000000000000007545328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.787{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.786{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007545326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 12241200x80000000000000007545325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 23542300x80000000000000007545324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10D350C6F2C090B48BBEFC4513F8505A,SHA256=F6B7BC02B11DC7781C57BF858B1E5A3DBB3A352827455A976DA8EF384859A718falsetrue 734700x80000000000000007545323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmredir.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Desktop Window Manager Redirection ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmredir.dllMD5=05B2A35A72410F77A402FA5B76CF2086,SHA256=13F6D45C49526D75A2E781E59E0C73DF7774579BEF684782B5A283926F8D390EtrueMicrosoft WindowsValid 12241200x80000000000000007545322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.784{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.784{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Logon.dll10.0.14393.4467 (rs1_release.210604-1844)Logon User ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Logon.dllMD5=1F387C61960B104EBAEFDFC3B97BB9F2,SHA256=DC1EE4F165BEF4E712E4F29C0CED9376288100433F3C8557B36117B8BAEE6CADtrueMicrosoft WindowsValid 12241200x80000000000000007545295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 10341000x80000000000000007545271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\100000409 12241200x80000000000000007545266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\1 13241300x80000000000000007545265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007545264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayoutDWORD (0x04090409) 13241300x80000000000000007545263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007545262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007545261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 13241300x80000000000000007545256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409DWORD (0x00000001) 10341000x80000000000000007545255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000007545252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007545251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007545250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007545249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007545248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007545243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 12241200x80000000000000007545242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 13241300x80000000000000007545241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowShiftLockDWORD (0x00000001) 13241300x80000000000000007545240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowCasingDWORD (0x00000001) 13241300x80000000000000007545239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\0000000000000409 12241200x80000000000000007545238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007545237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 12241200x80000000000000007545236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 13241300x80000000000000007545235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\LanguagesBinary Data 12241200x80000000000000007545234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 10341000x80000000000000007545233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007545231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007545230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007545229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401trueMicrosoft WindowsValid 13241300x80000000000000007545228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName@Winlangdb.dll,-1121 12241200x80000000000000007545227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007545226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile 734700x80000000000000007545225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DDtrueMicrosoft WindowsValid 734700x80000000000000007545224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007545223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x80000000000000007545222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x80000000000000007545219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 10341000x80000000000000007545218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007545213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007545212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007545211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007545210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007545209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007545208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007545207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007545206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007545205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007545204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenuDWORD (0xffc67500) 13241300x80000000000000007545203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenuDWORD (0xff995a00) 12241200x80000000000000007545202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007545201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPaletteBinary Data 12241200x80000000000000007545200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007545199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007545198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007545197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007545196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007545195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007545194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007545193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007545192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 734700x80000000000000007545191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000007545190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000007545189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007545184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000007545183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000007545179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exeMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408trueMicrosoft WindowsValid 12241200x80000000000000007545178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000007545161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 12241200x80000000000000007545159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000007545156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000007545132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007545130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007545129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007545128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007545127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007545126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007545125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007545124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007545123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000007545122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007545120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007545118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 12241200x80000000000000007545116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-913A-613B-7122-01000000F001}62123836C:\Windows\system32\csrss.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007545092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-913A-613B-7222-01000000F001}74766744C:\Windows\system32\winlogon.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007545091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.719{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{4DF467A6-913A-613B-9EB5-EB0C00000000}0xcebb59e3SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exewinlogon.exe 12241200x80000000000000007545090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 12241200x80000000000000007545085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 12241200x80000000000000007545057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonController.dll10.0.14393.4169 (rs1_release.210107-1130)Logon UX ControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationLogonController.dllMD5=EEFFA85317E0C7483D747B7C0F20ED38,SHA256=6DC57621059816648A4D438874A29C3F697A86EFC8B04E2945F2C74733DB28A5trueMicrosoft WindowsValid 12241200x80000000000000007545035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007545012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.706{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007545011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 734700x80000000000000007545010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 10341000x80000000000000007545009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}67004992C:\Windows\system32\LogonUI.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\IdleTimeDWORD (0x00000000) 12241200x80000000000000007545007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI 12241200x80000000000000007545006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3 13241300x80000000000000007545005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\BootLogonDWORD (0x00000000) 12241200x80000000000000007545004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData 734700x80000000000000007545003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000007545002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007545001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000007545000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007544999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007544998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007544996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000007544995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000007544993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007544991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exeMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5trueMicrosoft WindowsValid 734700x80000000000000007544988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.690{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000007544987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.688{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007544963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.688{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.686{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.684{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.684{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007544954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007544950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007544943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007544941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\dwminit.dll10.0.14393.2273 (rs1_release_1.180427-1811)DWMInitMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMInit.DLLMD5=2F84B6415D918374A67E50BCE01C3CA2,SHA256=D6A64DE0BFDD504D9C57760F8847EEB3F637774D958BD9D52F000B66EB2AD9D2trueMicrosoft WindowsValid 12241200x80000000000000007544940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 10341000x80000000000000007544918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}62123836C:\Windows\system32\csrss.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}74764272C:\Windows\system32\winlogon.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.671{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3884055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000007544912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 13241300x80000000000000007544910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3884055Binary Data 12241200x80000000000000007544909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LastLoggedOnProvider 12241200x80000000000000007544908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUserSID 12241200x80000000000000007544907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUser 12241200x80000000000000007544906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnSAMUser 12241200x80000000000000007544905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\DWM\DwmInitSessionActivityId_000000036BFE35A5-A0D8-0002-ACFD-026CD8A0D701 12241200x80000000000000007544903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\DWM 10341000x80000000000000007544902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007544899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeNameNormalSize 12241200x80000000000000007544898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorNameNormalColor 12241200x80000000000000007544896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName%%SystemRoot%%\resources\themes\Aero\Aero.msstyles 12241200x80000000000000007544894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedPPI96 12241200x80000000000000007544892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPIPlateaus1 12241200x80000000000000007544890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI96 12241200x80000000000000007544888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID1033 12241200x80000000000000007544886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore1 12241200x80000000000000007544884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive1 12241200x80000000000000007544882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 12241200x80000000000000007544881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007544877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\UXInit.dll10.0.14393.0 (rs1_release.160715-1616)Windows User Experience Session Initialization DllMicrosoft® Windows® Operating SystemMicrosoft CorporationUXINIT.DLLMD5=3803D95BBCB88A09B1F4043F77B0A52C,SHA256=C7B7522CA9BA3F683ADCFB20AE30533B34E4FC91BEDD283E93D0B733E6B97049trueMicrosoft WindowsValid 12241200x80000000000000007544876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000007544856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007544854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 734700x80000000000000007544852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 10341000x80000000000000007544851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 12241200x80000000000000007544848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 13241300x80000000000000007544845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 734700x80000000000000007544844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 734700x80000000000000007544843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 13241300x80000000000000007544842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayoutDWORD (0x00000000) 13241300x80000000000000007544841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile(Empty) 13241300x80000000000000007544840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID(Empty) 12241200x80000000000000007544839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession 13241300x80000000000000007544838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.622{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\LastBootTimeFontCacheStateDWORD (0x00000002) 11241100x80000000000000007544837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA3045A889DC72F96641EEF0DF275AF,SHA256=7A5CE6B7522A8B31DA5EA5F28C7C223CA3789C2238F915E3FC65A5D00B7D0960falsetrue 734700x80000000000000007544835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 12241200x80000000000000007544834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayoutDWORD (0x00000000) 13241300x80000000000000007544807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile(Empty) 13241300x80000000000000007544806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID(Empty) 12241200x80000000000000007544805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession 734700x80000000000000007544804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x80000000000000007544799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007544798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 13241300x80000000000000007544794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.553{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007544793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.553{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007544792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\HARDWARE\DEVICEMAP\VIDEO\\Device\Disc\REGISTRY\Machine\System\CurrentControlSet\Services\TSDDD\Device0 12241200x80000000000000007544791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\HARDWARE\DEVICEMAP\VIDEO 10341000x80000000000000007544790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}62127604C:\Windows\system32\csrss.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x80000000000000007544789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007544787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9trueMicrosoft WindowsValid 12241200x80000000000000007544786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007544757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\sxssrv.dll10.0.14393.3630 (rs1_release.200407-1730)Windows SxS Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationsxssrvMD5=6544F8B9914C8EF44FFD2965D6D6C4DE,SHA256=B9FB6A183039AD35C0BE6D0DEBCB4618E15CF17D385E4886ED457DA23B31AB8BtrueMicrosoft WindowsValid 12241200x80000000000000007544756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007544738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass\\Device\PointerClass20\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mouclass 12241200x80000000000000007544737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass 13241300x80000000000000007544736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 12241200x80000000000000007544733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum 13241300x80000000000000007544732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 12241200x80000000000000007544729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007544728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Device Parameters\IdentityBinary Data 13241300x80000000000000007544727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007544726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007544725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007544724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007544723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007544722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007544717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 13241300x80000000000000007544714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007544713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007544712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 13241300x80000000000000007544711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass\\Device\KeyboardClass20\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbdclass 12241200x80000000000000007544710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass 13241300x80000000000000007544709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 12241200x80000000000000007544706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum 13241300x80000000000000007544705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007544704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000007544703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 12241200x80000000000000007544702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007544701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Device Parameters\IdentityBinary Data 13241300x80000000000000007544700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007544699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007544698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007544697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007544696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007544695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007544690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 12241200x80000000000000007544687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007544685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007544684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 10341000x80000000000000007544681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x80000000000000007544678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007544675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\winsrv.dll10.0.14393.3686 (rs1_release.200504-1524)Multi-User Windows Server DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsrv.dllMD5=7BD8CD73F08B93E856BA2F7E6E93F6D0,SHA256=994340D9BF1DBE04F33544DC8FC4B1F72695AD5054F3409AA5F26743070DE55BtrueMicrosoft WindowsValid 10341000x80000000000000007544674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 12241200x80000000000000007544656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000007544654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKCR 12241200x80000000000000007544653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007544648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KernelBase.dll